case western reserve university



Multi-Platform Adobe Acrobat vulnerability exploited

February 23, 2009

To paraphrase from more detailed sources ( and

A CERT Critical Infrastructure Notice was issued on Friday, February 20, to notify the community that an open vulnerability has been announced and exploited in version 9 of Adobe Acrobat and Acrobat Reader.

The exploit can be delivered in the form of maliciously crafted *.pdf files, either as emailed attachments or as downloads available from web sites. The maliciously crafted .pdf contains java script that calls a malware distribution server and invites malware and rootkits onto the compromised system.

Adobe has announced a patch for this vulnerability that will not be released until March 10, 2009. To mitigate the effects of this exploit, users should not open PDFs from untrusted sources, and should disable the JavaScript function in Acrobat and Reader. We also recommend disabling the automatic display of PDF documents within the web browser (instructions after the jump):


To disable JavaScript in Adobe Reader and Acrobat:
o Disabling Javascript may prevent this vulnerability from being
exploited. Acrobat JavaScript can be disabled in the General preferences dialog (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).

To disable the displaying of PDF documents in the web browser:
o Preventing PDF documents from opening inside a web browser may
mitigate this vulnerability. If this workaround is applied to updated versions of the Adobe reader, it may mitigate future vulnerabilities.

To prevent PDF documents from automatically being opened in a web browser:
1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.

To prevent Internet Explorer from automatically opening PDF documents
o The installer for Adobe Reader and Acrobat configures Internet
Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00

• Do not access PDF documents from untrusted sources

Posted by Ruth Cannon at 09:56 AM

Powered by
Movable Type

Site Last Updated: Friday December 17, 2004 at 17:55:51