Copyright © 2008 Adobe Systems Incorporated. All rights reserved.
Use of this website signifies your agreement to the Terms of Use and Online Privacy Policy (updated 03-30-2007).
Search powered by Powered by Google
Release date: February 7, 2008
Vulnerability identifier: APSA08-01
CVE number: CVE-2008-0667, CVE-2007-5666, CVE-2007-5659, CVE-2007-5663, CVE-2008-0726, CVE-2008-0655
Platform: All platforms
Adobe Reader 8.1.1 and earlier versions
Adobe Acrobat Professional, 3D and Standard 8.1.1 and earlier versions
Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.1 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Acrobat 8 and Adobe Reader install the 8.1.2 update to protect themselves from potential vulnerabilities.
Acrobat and Adobe Reader 7.0.9 and earlier versions are also affected by these vulnerabilities.
Adobe is planning to release an update to Adobe Reader and Acrobat 7 by the end of May 2008 to resolve these security issues in those versions of the products. Adobe will provide further information regarding undisclosed vulnerabilities via the company's Security Bulletins and Advisories page (http://www.adobe.com/support/security/) once updates are available for all affected versions of Acrobat and Adobe Reader.
Adobe recommends Adobe Reader 7 and 8 users update to Adobe Reader 8.1.2, available here:
http://www.adobe.com/go/getreader
Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.2, available here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3849
Adobe recommends Acrobat 8 users on Macintosh update to Acrobat 8.1.2, available here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3856
Adobe recommends Acrobat 3D version 8 users on Windows update to Acrobat 3D version 8.1.2, available here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3850
Acrobat 7 users and Adobe Reader 7 users who cannot update to version 8.1.2 can disable JavaScript to avoid these issues (with the exception of CVE-2007-5666) by following these steps:
Adobe is planning to release an update to Adobe Reader and Acrobat 7 by the end of May 2008 to resolve the relevant security issues. A security bulletin will be published on http://www.adobe.com/support/security as soon as that update is available.
All documented security vulnerabilities and their solutions are distributed through the Adobe security notification service. You can sign up for the service at the following URL: http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert
Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.1 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Acrobat and Adobe Reader 8 install the 8.1.2 update to protect themselves from potential vulnerabilities.
This update resolves an input validation issue in several JavaScript methods that could potentially lead to remote code execution. (CVE-2007-5659)
NOTE: there are reports that this issue is being exploited
This update resolves an issue with an insecure JavaScript method that could potentially lead to remote code execution (CVE-2007-5663)
This update resolves an integer overflow issue in a JavaScript function that could potentially allow remote code execution. (CVE-2008-0726)
This update resolves a design flaw which could allow a specially crafted file to be printed silently an arbitrary number of times. (CVE-2008-0655)
NOTE: for customers who cannot update to Adobe Reader 8.1.2 or Acrobat 8.1.2, workarounds for the above issues are provided under the ‘Solution’ section.
This update resolves an issue that could allow a local user to execute arbitrary code by overwriting a local file. (CVE-2007-5666)
Adobe categorizes this as a critical issue and recommends that users apply the update for their product installations.
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers' security:
- Tavis Ormandy and Will Drewry of the Google Security Team
- cocoruder of Fortinet Security Research Team (CVE-2008-0655)
- Greg MacManus of iDefense Labs (CVE-2007-5659, CVE-2007-5663, CVE-2007-5666)
- Paul Craig of Security-Assessment.com
- An anonymous researcher reported through TippingPoint's Zero Day Initiative (CVE-2008-0726)
February 20, 2008 – Advisory updated with vulnerability information and timeline for Acrobat and Adobe Reader 7 update
February 12, 2008 – Advisory updated
February 7, 2008 – Advisory first created
Copyright © 2008 Adobe Systems Incorporated. All rights reserved.
Use of this website signifies your agreement to the Terms of Use and Online Privacy Policy (updated 03-30-2007).
Search powered by Powered by Google