If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
yet another - US-CERT Technical Cyber Security Alert TA09-051A -- Adobe Acrobat and Reader Vulnerability
Here we go again, another Adobe Reader vulnerability.... NOTE that JAVA is
instrumental in this vulnerability... and note the reg entry modification if you are still using Adobe Reader. NOTE: the regedit example is for NT/XP/VISTA [version 5 - - 9X = REGEDIT4] IF you need an alternative and are willing to give up all the nifty functions{vulnerabilities} of Adobe or even Foxit, you can try SumatraPDF [plain pdf viewing with primitive interface, and may not open all pdf versions or formats]. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-051A Adobe Acrobat and Reader Vulnerability Original release date: February 20, 2009 Last revised: -- Source: US-CERT Systems Affected * Adobe Reader version 9 and earlier * Adobe Acrobat (Professional, 3D, and Standard) version 9 and earlier Overview Adobe has released Security Bulletin APSB09-01, which describes a vulnerability that affects Adobe Reader and Acrobat. This vulnerability could allow a remote attacker to execute arbitrary code. I. Description Adobe Security Bulletin APSB09-01 describes a memory-corruption vulnerability that affects Adobe Reader and Acrobat. Further details are available in Vulnerability Note VU#905281. An attacker could exploit these vulnerabilities by convincing a user to load a specially crafted Adobe Portable Document Format (PDF) file. Acrobat integrates with popular web browsers, and visiting a website is usually sufficient to cause Acrobat to load PDF content. II. Impact An attacker may be able to execute arbitrary code. III. Solution Disable JavaScript in Adobe Reader and Acrobat Disabling Javascript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu (Edit - Preferences - JavaScript and un-check Enable Acrobat JavaScript). Prevent Internet Explorer from automatically opening PDF documents The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF documents in the web browser Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied it may also mitigate future vulnerabilities. To prevent PDF documents from automatically being opened in a web browser, do the following: 1. Open Adobe Acrobat Reader. 2. Open the Edit menu. 3. Choose the preferences option. 4. Choose the Internet section. 5. Un-check the "Display PDF in browser" check box. Do not access PDF documents from untrusted sources Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010. IV. References * Adobe Security Bulletin apsa09-01 - http://www.adobe.com/support/security/advisories/apsa09-01.html * Securing Your Web Browser - http://www.us-cert.gov/reading_room/securing_browser/ * Vulnerability Note VU#905281 - http://www.kb.cert.org/vuls/id/905281 __________________________________________________ __________________ The most recent version of this document can be found at: http://www.us-cert.gov/cas/techalerts/TA09-051A.html __________________________________________________ __________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA09-051A Feedback VU#905281" in the subject. __________________________________________________ __________________ For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html. __________________________________________________ __________________ Produced 2009 by US-CERT, a government organization. Terms of use: http://www.us-cert.gov/legal.html __________________________________________________ __________________ Revision History February 20, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSZ8ayXIHljM+H4irAQIUcAf+M01pEVt0f1ZdRvCQwS Yw1efnHu4YGdhI xT27jeKvaW/h6ghGx0L9YWCSn/A2LY3D+fDU1PZmWi7TT/SMEQ8LvKomyCu026Dv fD63qIXYj3NoPu11bINKFX4HFQCOYWKuM/58Y8mDQXOg0RLhePfMhMbB/S5/xpNT J09FupEgMvbD+tjVILP+W8JSY4YtAxUJLHfB7cTTHGtlKZyAsn nmJM3Oi4au10DW vqZD8JefoMLeV2MTGRyP4HGTaRxVY1+yucXO1KBGnKX7otCRkC WOupEuKw+tIEkT YsYIlkH5MzftkesSEDpDMIAiIE+uprJRv2HGkc38Rhbs/03JyxxVlA== =HSro -----END PGP SIGNATURE----- |
#2
|
|||
|
|||
yet another - US-CERT Technical Cyber Security Alert TA09-051A --Adobe Acrobat and Reader Vulnerability
MEB wrote:
Here we go again, another Adobe Reader vulnerability.... And as usual, I'm very suspicious about win-98 vulnerability, especially when the most specific information being published so far is this: "A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions." Unless Adobe (or someone else) confirms that Acrobat 6 is vulnerable, then I'm going to assume it's not. I don't think that Acrobat 7, 8 or 9 runs on 98. Adobe has announced updates will be made available for 7, 8 and 9, but is silent about 6. I've been looking for example code, (milworm, etc) but haven't seen any. NOTE that JAVA is instrumental in this vulnerability... I've been runing NoScript for about 6 months on one win-98 PC, and in general have found it a real pain. I end up "enabling all" on any web page that gives me the slightest hint of operability problems. In particular, NoScript ALWAYS prevents downloading / viewing of any PDF file (not sure why). |
#3
|
|||
|
|||
yet another - US-CERT Technical Cyber Security Alert TA09-051A --Adobe Acrobat and Reader Vulnerability
MEB wrote:
Here we go again, another Adobe Reader vulnerability.... And as usual, I'm very suspicious about win-98 vulnerability, especially when the most specific information being published so far is this: "A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions." Unless Adobe (or someone else) confirms that Acrobat 6 is vulnerable, then I'm going to assume it's not. I don't think that Acrobat 7, 8 or 9 runs on 98. Adobe has announced updates will be made available for 7, 8 and 9, but is silent about 6. I've been looking for example code, (milworm, etc) but haven't seen any. NOTE that JAVA is instrumental in this vulnerability... I've been runing NoScript for about 6 months on one win-98 PC, and in general have found it a real pain. I end up "enabling all" on any web page that gives me the slightest hint of operability problems. In particular, NoScript ALWAYS prevents downloading / viewing of any PDF file (not sure why). |
#4
|
|||
|
|||
yet another - US-CERT Technical Cyber Security Alert TA09-051A -- Adobe Acrobat and Reader Vulnerability
"98 Guy" wrote in message ... MEB wrote: Here we go again, another Adobe Reader vulnerability.... And as usual, I'm very suspicious about win-98 vulnerability, especially when the most specific information being published so far is this: "A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions." Unless Adobe (or someone else) confirms that Acrobat 6 is vulnerable, then I'm going to assume it's not. I don't think that Acrobat 7, 8 or 9 runs on 98. Adobe has announced updates will be made available for 7, 8 and 9, but is silent about 6. The silence holds, because, as everywhere, you aren't supposed to be using it. Readers beyond 6 attempted to correct the inherent vulnerabilities and issues found in Reader 6, and added their own... Doesn't make much sense to just ignore the ^6 vulnerabilities,,, just because no one specifically includes an outdated and unsupported Reader [support stopped several years ago...] in their warnings by specific mention. The JAVA included and supported activities are what make the 6 [and above] version vulnerable [among the other potentials]. It would be like using Sun's earlier JAVA versions filled with well known vulnerabilities, and expecting to be protected. You are more protected using Microsoft's limited default version, because it doesn't support all the new aspects of the newer JAVA coding, hence the newer vulnerabilities and attacks *can't* work. Of course, that also limits what DOES work [sitewise] as well. You certainly can't expect going to a heavy JAVA scripted site and expect to view the movies, run the games, or the other, that require a newer JAVA version just to function. I've been looking for example code, (milworm, etc) but haven't seen any. NOTE that JAVA is instrumental in this vulnerability... I've been runing NoScript for about 6 months on one win-98 PC, and in general have found it a real pain. I end up "enabling all" on any web page that gives me the slightest hint of operability problems. In particular, NoScript ALWAYS prevents downloading / viewing of any PDF file (not sure why). The PDF format [Reader 6 and up] is KNOWN for the ability to hold scripting, JAVA, VBS, and other attack possibilities. No Script is designed to limit activities to a *specific SITE* in the **BROWSER** [Firefox and Opera - yes supposedly installable], off site activities must be *individually allowed*. It also attempts to block other potential issues, so if you need something else, try setting up the Options... or uninstall it... Most sensible people advise DOWNLOADING the PDF and viewing WHILE OFF LINE to potentially block some of the hacks now used within PDFs. -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ |
#5
|
|||
|
|||
yet another - US-CERT Technical Cyber Security Alert TA09-051A -- Adobe Acrobat and Reader Vulnerability
"98 Guy" wrote in message ... MEB wrote: Here we go again, another Adobe Reader vulnerability.... And as usual, I'm very suspicious about win-98 vulnerability, especially when the most specific information being published so far is this: "A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions." Unless Adobe (or someone else) confirms that Acrobat 6 is vulnerable, then I'm going to assume it's not. I don't think that Acrobat 7, 8 or 9 runs on 98. Adobe has announced updates will be made available for 7, 8 and 9, but is silent about 6. The silence holds, because, as everywhere, you aren't supposed to be using it. Readers beyond 6 attempted to correct the inherent vulnerabilities and issues found in Reader 6, and added their own... Doesn't make much sense to just ignore the ^6 vulnerabilities,,, just because no one specifically includes an outdated and unsupported Reader [support stopped several years ago...] in their warnings by specific mention. The JAVA included and supported activities are what make the 6 [and above] version vulnerable [among the other potentials]. It would be like using Sun's earlier JAVA versions filled with well known vulnerabilities, and expecting to be protected. You are more protected using Microsoft's limited default version, because it doesn't support all the new aspects of the newer JAVA coding, hence the newer vulnerabilities and attacks *can't* work. Of course, that also limits what DOES work [sitewise] as well. You certainly can't expect going to a heavy JAVA scripted site and expect to view the movies, run the games, or the other, that require a newer JAVA version just to function. I've been looking for example code, (milworm, etc) but haven't seen any. NOTE that JAVA is instrumental in this vulnerability... I've been runing NoScript for about 6 months on one win-98 PC, and in general have found it a real pain. I end up "enabling all" on any web page that gives me the slightest hint of operability problems. In particular, NoScript ALWAYS prevents downloading / viewing of any PDF file (not sure why). The PDF format [Reader 6 and up] is KNOWN for the ability to hold scripting, JAVA, VBS, and other attack possibilities. No Script is designed to limit activities to a *specific SITE* in the **BROWSER** [Firefox and Opera - yes supposedly installable], off site activities must be *individually allowed*. It also attempts to block other potential issues, so if you need something else, try setting up the Options... or uninstall it... Most sensible people advise DOWNLOADING the PDF and viewing WHILE OFF LINE to potentially block some of the hacks now used within PDFs. -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ |
#6
|
|||
|
|||
yet another - US-CERT Technical Cyber Security Alert TA09-051A -- Adobe Acrobat and Reader Vulnerability
You're saying that Foxit is no more secure than Adobe?
-- DaffyDŽ If I Knew Where I Was I'd Be There Now. "MEB" MEB@not@here wrote in message ... Here we go again, another Adobe Reader vulnerability.... NOTE that JAVA is instrumental in this vulnerability... and note the reg entry modification if you are still using Adobe Reader. NOTE: the regedit example is for NT/XP/VISTA [version 5 - - 9X = REGEDIT4] IF you need an alternative and are willing to give up all the nifty functions{vulnerabilities} of Adobe or even Foxit, you can try SumatraPDF [plain pdf viewing with primitive interface, and may not open all pdf versions or formats]. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-051A Adobe Acrobat and Reader Vulnerability Original release date: February 20, 2009 Last revised: -- Source: US-CERT Systems Affected * Adobe Reader version 9 and earlier * Adobe Acrobat (Professional, 3D, and Standard) version 9 and earlier Overview Adobe has released Security Bulletin APSB09-01, which describes a vulnerability that affects Adobe Reader and Acrobat. This vulnerability could allow a remote attacker to execute arbitrary code. I. Description Adobe Security Bulletin APSB09-01 describes a memory-corruption vulnerability that affects Adobe Reader and Acrobat. Further details are available in Vulnerability Note VU#905281. An attacker could exploit these vulnerabilities by convincing a user to load a specially crafted Adobe Portable Document Format (PDF) file. Acrobat integrates with popular web browsers, and visiting a website is usually sufficient to cause Acrobat to load PDF content. II. Impact An attacker may be able to execute arbitrary code. III. Solution Disable JavaScript in Adobe Reader and Acrobat Disabling Javascript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu (Edit - Preferences - JavaScript and un-check Enable Acrobat JavaScript). Prevent Internet Explorer from automatically opening PDF documents The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF documents in the web browser Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied it may also mitigate future vulnerabilities. To prevent PDF documents from automatically being opened in a web browser, do the following: 1. Open Adobe Acrobat Reader. 2. Open the Edit menu. 3. Choose the preferences option. 4. Choose the Internet section. 5. Un-check the "Display PDF in browser" check box. Do not access PDF documents from untrusted sources Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010. IV. References * Adobe Security Bulletin apsa09-01 - http://www.adobe.com/support/security/advisories/apsa09-01.html * Securing Your Web Browser - http://www.us-cert.gov/reading_room/securing_browser/ * Vulnerability Note VU#905281 - http://www.kb.cert.org/vuls/id/905281 __________________________________________________ __________________ The most recent version of this document can be found at: http://www.us-cert.gov/cas/techalerts/TA09-051A.html __________________________________________________ __________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA09-051A Feedback VU#905281" in the subject. __________________________________________________ __________________ For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html. __________________________________________________ __________________ Produced 2009 by US-CERT, a government organization. Terms of use: http://www.us-cert.gov/legal.html __________________________________________________ __________________ Revision History February 20, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSZ8ayXIHljM+H4irAQIUcAf+M01pEVt0f1ZdRvCQwS Yw1efnHu4YGdhI xT27jeKvaW/h6ghGx0L9YWCSn/A2LY3D+fDU1PZmWi7TT/SMEQ8LvKomyCu026Dv fD63qIXYj3NoPu11bINKFX4HFQCOYWKuM/58Y8mDQXOg0RLhePfMhMbB/S5/xpNT J09FupEgMvbD+tjVILP+W8JSY4YtAxUJLHfB7cTTHGtlKZyAsn nmJM3Oi4au10DW vqZD8JefoMLeV2MTGRyP4HGTaRxVY1+yucXO1KBGnKX7otCRkC WOupEuKw+tIEkT YsYIlkH5MzftkesSEDpDMIAiIE+uprJRv2HGkc38Rhbs/03JyxxVlA== =HSro -----END PGP SIGNATURE----- |
#7
|
|||
|
|||
yet another - US-CERT Technical Cyber Security Alert TA09-051A -- Adobe Acrobat and Reader Vulnerability
You're saying that Foxit is no more secure than Adobe?
-- DaffyDŽ If I Knew Where I Was I'd Be There Now. "MEB" MEB@not@here wrote in message ... Here we go again, another Adobe Reader vulnerability.... NOTE that JAVA is instrumental in this vulnerability... and note the reg entry modification if you are still using Adobe Reader. NOTE: the regedit example is for NT/XP/VISTA [version 5 - - 9X = REGEDIT4] IF you need an alternative and are willing to give up all the nifty functions{vulnerabilities} of Adobe or even Foxit, you can try SumatraPDF [plain pdf viewing with primitive interface, and may not open all pdf versions or formats]. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-051A Adobe Acrobat and Reader Vulnerability Original release date: February 20, 2009 Last revised: -- Source: US-CERT Systems Affected * Adobe Reader version 9 and earlier * Adobe Acrobat (Professional, 3D, and Standard) version 9 and earlier Overview Adobe has released Security Bulletin APSB09-01, which describes a vulnerability that affects Adobe Reader and Acrobat. This vulnerability could allow a remote attacker to execute arbitrary code. I. Description Adobe Security Bulletin APSB09-01 describes a memory-corruption vulnerability that affects Adobe Reader and Acrobat. Further details are available in Vulnerability Note VU#905281. An attacker could exploit these vulnerabilities by convincing a user to load a specially crafted Adobe Portable Document Format (PDF) file. Acrobat integrates with popular web browsers, and visiting a website is usually sufficient to cause Acrobat to load PDF content. II. Impact An attacker may be able to execute arbitrary code. III. Solution Disable JavaScript in Adobe Reader and Acrobat Disabling Javascript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu (Edit - Preferences - JavaScript and un-check Enable Acrobat JavaScript). Prevent Internet Explorer from automatically opening PDF documents The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF documents in the web browser Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied it may also mitigate future vulnerabilities. To prevent PDF documents from automatically being opened in a web browser, do the following: 1. Open Adobe Acrobat Reader. 2. Open the Edit menu. 3. Choose the preferences option. 4. Choose the Internet section. 5. Un-check the "Display PDF in browser" check box. Do not access PDF documents from untrusted sources Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010. IV. References * Adobe Security Bulletin apsa09-01 - http://www.adobe.com/support/security/advisories/apsa09-01.html * Securing Your Web Browser - http://www.us-cert.gov/reading_room/securing_browser/ * Vulnerability Note VU#905281 - http://www.kb.cert.org/vuls/id/905281 __________________________________________________ __________________ The most recent version of this document can be found at: http://www.us-cert.gov/cas/techalerts/TA09-051A.html __________________________________________________ __________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA09-051A Feedback VU#905281" in the subject. __________________________________________________ __________________ For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html. __________________________________________________ __________________ Produced 2009 by US-CERT, a government organization. Terms of use: http://www.us-cert.gov/legal.html __________________________________________________ __________________ Revision History February 20, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSZ8ayXIHljM+H4irAQIUcAf+M01pEVt0f1ZdRvCQwS Yw1efnHu4YGdhI xT27jeKvaW/h6ghGx0L9YWCSn/A2LY3D+fDU1PZmWi7TT/SMEQ8LvKomyCu026Dv fD63qIXYj3NoPu11bINKFX4HFQCOYWKuM/58Y8mDQXOg0RLhePfMhMbB/S5/xpNT J09FupEgMvbD+tjVILP+W8JSY4YtAxUJLHfB7cTTHGtlKZyAsn nmJM3Oi4au10DW vqZD8JefoMLeV2MTGRyP4HGTaRxVY1+yucXO1KBGnKX7otCRkC WOupEuKw+tIEkT YsYIlkH5MzftkesSEDpDMIAiIE+uprJRv2HGkc38Rhbs/03JyxxVlA== =HSro -----END PGP SIGNATURE----- |
#8
|
|||
|
|||
yet another - US-CERT Technical Cyber Security Alert TA09-051A --Adobe Acrobat and Reader Vulnerability
MEB wrote:
Here we go again, another Adobe Reader vulnerability.... And as usual, I'm very suspicious about win-98 vulnerability Adobe has announced updates will be made available for 7, 8 and 9, but is silent about 6. The silence holds, because, as everywhere, you aren't supposed to be using it. Readers beyond 6 attempted to correct the inherent vulnerabilities and issues found in Reader 6, and added their own... What vulnerabilities? Secunia lists 11 vulnerabilities for Acrobat 6: http://secunia.com/advisories/produc...ask=advisories 10 of them have been patched (the 11'th has no real security implications). The last one patched was Jan/2007. If there have been other confirmed Acrobat 6 vulnerabilities announced after Jan 2007, then please post the details here. Doesn't make much sense to just ignore the ^6 vulnerabilities,,, just because no one specifically includes an outdated and unsupported Reader [support stopped several years ago...] in their warnings by specific mention. The strength of an outdated version is that vulnerabilities found in newer versions may not apply to it. When developers create new versions of anything, as we know, they usually create a range of new vulnerabilites that the old versions will simply not have. Most likely, because this issue is fundamentally a JAVA-triggered problem, I presume that a pending JRE update will eliminate the Acrobat vulnerability, and any question as to whether or not Acrobat 6 is affected will be moot. And BTW, there are only 3 issues (including this recent issue) that affects Acrobat 7, 8 and 9 that are not listed for Acrobat 6. All 3 issues seem to be JavaScript mediated. Again, I presume that updates to the JRE have (or will) be performed to eliminate those vectors, in which case they will find their way into JRE 5.x versions (which are still being released, and which are still win-98 compatible). |
#9
|
|||
|
|||
yet another - US-CERT Technical Cyber Security Alert TA09-051A --Adobe Acrobat and Reader Vulnerability
MEB wrote:
Here we go again, another Adobe Reader vulnerability.... And as usual, I'm very suspicious about win-98 vulnerability Adobe has announced updates will be made available for 7, 8 and 9, but is silent about 6. The silence holds, because, as everywhere, you aren't supposed to be using it. Readers beyond 6 attempted to correct the inherent vulnerabilities and issues found in Reader 6, and added their own... What vulnerabilities? Secunia lists 11 vulnerabilities for Acrobat 6: http://secunia.com/advisories/produc...ask=advisories 10 of them have been patched (the 11'th has no real security implications). The last one patched was Jan/2007. If there have been other confirmed Acrobat 6 vulnerabilities announced after Jan 2007, then please post the details here. Doesn't make much sense to just ignore the ^6 vulnerabilities,,, just because no one specifically includes an outdated and unsupported Reader [support stopped several years ago...] in their warnings by specific mention. The strength of an outdated version is that vulnerabilities found in newer versions may not apply to it. When developers create new versions of anything, as we know, they usually create a range of new vulnerabilites that the old versions will simply not have. Most likely, because this issue is fundamentally a JAVA-triggered problem, I presume that a pending JRE update will eliminate the Acrobat vulnerability, and any question as to whether or not Acrobat 6 is affected will be moot. And BTW, there are only 3 issues (including this recent issue) that affects Acrobat 7, 8 and 9 that are not listed for Acrobat 6. All 3 issues seem to be JavaScript mediated. Again, I presume that updates to the JRE have (or will) be performed to eliminate those vectors, in which case they will find their way into JRE 5.x versions (which are still being released, and which are still win-98 compatible). |
#10
|
|||
|
|||
yet another - US-CERT Technical Cyber Security Alert TA09-051A -- Adobe Acrobat and Reader Vulnerability
Uhmm, JRE huh, Adobe Reader uses its own hacks and internal
authorizations... So how many new vulnerabilities do you find listed for Windows 98 on Secunia? [Think before you answer] -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ "98 Guy" wrote in message ... MEB wrote: Here we go again, another Adobe Reader vulnerability.... And as usual, I'm very suspicious about win-98 vulnerability Adobe has announced updates will be made available for 7, 8 and 9, but is silent about 6. The silence holds, because, as everywhere, you aren't supposed to be using it. Readers beyond 6 attempted to correct the inherent vulnerabilities and issues found in Reader 6, and added their own... What vulnerabilities? Secunia lists 11 vulnerabilities for Acrobat 6: http://secunia.com/advisories/produc...ask=advisories 10 of them have been patched (the 11'th has no real security implications). The last one patched was Jan/2007. If there have been other confirmed Acrobat 6 vulnerabilities announced after Jan 2007, then please post the details here. Doesn't make much sense to just ignore the ^6 vulnerabilities,,, just because no one specifically includes an outdated and unsupported Reader [support stopped several years ago...] in their warnings by specific mention. The strength of an outdated version is that vulnerabilities found in newer versions may not apply to it. When developers create new versions of anything, as we know, they usually create a range of new vulnerabilites that the old versions will simply not have. Most likely, because this issue is fundamentally a JAVA-triggered problem, I presume that a pending JRE update will eliminate the Acrobat vulnerability, and any question as to whether or not Acrobat 6 is affected will be moot. And BTW, there are only 3 issues (including this recent issue) that affects Acrobat 7, 8 and 9 that are not listed for Acrobat 6. All 3 issues seem to be JavaScript mediated. Again, I presume that updates to the JRE have (or will) be performed to eliminate those vectors, in which case they will find their way into JRE 5.x versions (which are still being released, and which are still win-98 compatible). |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
IE 7 US-CERT Technical Cyber Security Alert TA08-352A -- Microsoft Internet Explorer Data Binding Vulnerability | MEB[_2_] | General | 0 | December 18th 08 09:30 AM |
US-CERT Technical Cyber Security Alert TA08-340A -- Sun Java Updates for Multiple Vulnerabilities | MEB[_2_] | General | 1 | December 10th 08 02:55 PM |
US-CERT Technical Cyber Security Alert TA08-319A -- Mozilla Updates for Multiple Vulnerabilities | MEB[_2_] | General | 0 | November 15th 08 10:12 AM |
US-CERT Technical Cyber Security Alert TA08-309A -- Adobe Reader and Acrobat Vulnerabilities | MEB[_2_] | General | 5 | November 9th 08 01:57 AM |
US-CERT Technical Cyber Security Alert TA08-309A -- Adobe Reader and Acrobat Vulnerabilities | MEB[_2_] | Disk Drives | 0 | November 5th 08 06:12 AM |