Archive for May 3, 2009

PDF Adobe Reader Zero Day

Adobe Reader has two vulnerable JavaScript functions getAnnots() and spell.customDictionaryOpen() that could allow a remote attacker to execute arbitrary code on the system. PoCs were published here.

PSIRT blogged an update saying that this vulnerability is still under investigation and updates will be available by 12th May:

We are in the process of fixing the issue, and expect to make available product updates for the relevant supported Adobe Reader and Acrobat versions and platforms by May 12th, 2009.

Adobe Released Security Bulletin

Release date: May 1, 2009

Vulnerability identifier: APSA09-02

CVE number: CVE-2009-1492, CVE-2009-1493

Platform: All Platforms

Mac users are vulnerable and affected with this vulnerability and as usual it is best recommended that you disable JavaScript if you are using Adobe Reader. Please follow the instruction here.