Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Adobe Reader and Acrobat Security Updates SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Adobe Reader and Acrobat Security Updates

Adobe released important security updates for Adobe Reader X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh OS. The bulletin is posted here.

"CVE-2011-0611, is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing."[1]


Affected software:

Adobe Reader X (10.0.1) and earlier versions for Windows
Adobe Reader X (10.0.2) and earlier versions for Macintosh
Adobe Acrobat X (10.0.2) and earlier versions for Windows and Macintosh

NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by CVE-2011-0611.


[1] http://www.adobe.com/support/security/bulletins/apsb11-08.html

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

 Guy

478 Posts
ISC Handler
Apr 21st 2011
Subscribe Apr 21st 2011
9 years ago
Regardless where I look, the latest version of Adobe Reader available for download for Windows 7 seems to be 10.0.1. Check for updates within as well as the Adobe Reader http download site AND the ftp site all show 10.0.1 as the most recent version. The FTP site shows Feb 8, 2011 as the most recent Reader X file (version 10.0.1)
What am I missing here?
 Anonymous
Quote Apr 21st 2011
9 years ago
The Adobe web site says that Reader X for Windows will not be patched until June:

"Because Adobe Reader X (10.x) Protected Mode would prevent an exploit of this kind from executing, we are planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011"
 Anonymous
Quote Apr 21st 2011
9 years ago
My bad -- I stopped reading the bulletin at, "Adobe recommends users of Adobe Acrobat X (10.0.2) for Windows" and went looking for it. Who'd expect Adobe to recommend 10.0.2 when it did not yet exist?
Anonymous
Quote Apr 21st 2011
9 years ago
Acrobat X 10.0.2 is the version for Standard and Professional, not the reader. There is an update for Standard and Professional, which takes them to 10.0.3. 10.0.1 remains the latest version for the free reader.
 Joey

18 Posts
Quote Apr 22nd 2011
9 years ago
Joey is right, but that announcement from Adobe is hardly a model of clarity. Probably the work of an Ivy League graduate :p
 Joey
7 Posts
Quote Apr 22nd 2011
9 years ago

Sign Up for Free or Log In to start participating in the conversation!