-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                     ESB-2009.0546 -- [Win][Mac][OSX]
            Adobe Reader and Acrobat: Multiple Vulnerabilities
                               11 June 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Adobe Reader
                      Adobe Acrobat
Publisher:            Adobe
Operating System:     Windows
                      Mac OS X
Impact:               Execute Arbitrary Code/Commands
                      Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2009-1861 CVE-2009-1859 CVE-2009-1858
                      CVE-2009-1857 CVE-2009-1856 CVE-2009-1855
                      CVE-2009-0889 CVE-2009-0888 CVE-2009-0512
                      CVE-2009-0511 CVE-2009-0510 CVE-2009-0509
                      CVE-2009-0198

Original Bulletin:    
  http://www.adobe.com/support/security/bulletins/apsb09-07.html

Comment: While we are not aware of active exploitation of these
         vulnerabilities, CVE-2009-1858 involving the JBIG2
         filter is a component that has been exploited in the
         past.

Revision History:     June 11 2009: Document number changed from 
                                    ESB-2009.0703 to ESB-2009.0546
                      June 10 2009: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Updates available for Adobe Reader and Acrobat

Release date: June 9, 2009

Vulnerability identifier: APSB09-07

CVE number: CVE-2009-0198, CVE-2009-0509, CVE-2009-0510, CVE-2009-0511, 
            CVE-2009-0512, CVE-2009-0888, CVE-2009-0889, CVE-2009-1855, 
            CVE-2009-1856, CVE-2009-1857, CVE-2009-1858, CVE-2009-1859, 
            CVE-2009-1861

Platform: All Platforms

Summary

Critical vulnerabilities have been identified in Adobe Reader 9.1.1 and 
Acrobat 9.1.1 and earlier versions. These vulnerabilities would cause the 
application to crash and could potentially allow an attacker to take control 
of the affected system.

Adobe recommends users of Adobe Reader 9 and Acrobat 9 and earlier versions 
update to Adobe Reader 9.1.2 and Acrobat 9.1.2. Adobe recommends users of 
Acrobat 8 update to Acrobat 8.1.6, and users of Acrobat 7 update to Acrobat 
7.1.3. For Adobe Reader users who cant update to Adobe Reader 9.1.2, Adobe 
has provided the Adobe Reader 8.1.6 and Adobe Reader 7.1.3 updates.  Updates 
apply to Windows and Macintosh.  Security updates for Adobe Reader on the 
UNIX platform will be available on June 16, 2009; this Bulletin will be 
updated to reflect their availability on that date.

This update incorporates the initial output of code hardening efforts 
discussed in a May 20 Adobe ASSET (Adobe Secure Software Engineering Team) 
blog post, as well as externally reported issues, as detailed below.

Affected software versions

Adobe Reader 9.1.1 and earlier versions
Adobe Acrobat Standard, Pro, and Pro Extended 9.1.1 and earlier versions

Solution

Adobe Reader

Adobe Reader users on Windows can find the appropriate update here: 
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can find the appropriate update here: 
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Acrobat

Acrobat Standard, Pro and Pro Extended users on Windows can find the 
appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.

Severity rating

Adobe categorizes this as a critical update and recommends that users apply 
the update for their product installations.

Details

Critical vulnerabilities have been identified in Adobe Reader 9.1.1 and 
Acrobat 9.1.1 and earlier versions. These vulnerabilities would cause the 
application to crash and could potentially allow an attacker to take control 
of the affected system.

Adobe recommends users of Adobe Reader and Acrobat update their product 
installations to versions 9.1.2, 8.1.6, or 7.1.3 using the instructions 
above to protect themselves from potential vulnerabilities.  The above 
updates apply to Windows and Macintosh. Security updates for Adobe Reader on 
the UNIX platform will be available on June 16, 2009; this Bulletin will be 
updated to reflect their availability on that date.

This update resolves a stack overflow vulnerability that could potentially 
lead to code execution (CVE-2009-1855).

This update resolves an integer overflow that leads to a Denial of Service 
(DoS); arbitrary code execution has not been demonstrated, but may be 
possible (CVE-2009-1856).

This update resolves a memory corruption vulnerability that leads to a 
Denial of Service (DoS); arbitrary code execution has not been demonstrated,
but may be possible (CVE-2009-1857).

This update resolves a memory corruption vulnerability in the JBIG2 filter 
that could potentially lead to code execution (CVE-2009-1858).

This update resolves a memory corruption vulnerability that could 
potentially lead to code execution (CVE-2009-1859).

This update resolves a memory corruption vulnerability in the JBIG2 filter 
that leads to a Denial of Service (DoS); arbitrary code execution has not 
been demonstrated, but may be possible (CVE-2009-0198).

This update resolves multiple heap overflow vulnerabilities in the JBIG2 
filter that could potentially lead to code execution (CVE-2009-0509, 
CVE-2009-0510, CVE-2009-0511, CVE-2009-0512, CVE-2009-0888, CVE-2009-0889).

This update resolves multiple heap overflow vulnerabilities that could 
potentially lead to code execution (CVE-2009-1861).

Additionally, this update resolves Adobe internally discovered issues.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFKMGdnNVH5XJJInbgRAhCgAKCD5jzHCKLuH55HoaBfG/mTmaz+SwCfew03
4bAMsNVZIloNEhLDQMrt/e4=
=KrUA
-----END PGP SIGNATURE-----