Thursday, February 18, 2010

New Adobe Reader vulnerability, open Adobe Reader -> Help -> Update.


A critical vulnerability has been identified in Adobe Reader 9.3 and Acrobat 9.3 for Windows, Macintosh and UNIX, [...] As described in Security Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users [...] update to Adobe Reader 9.3.1.

Note that this allows any website you visit to take over your machine, it's not required that you eg open a bad PDF file that was emailed to you, websites embed evil PDFs all the time (especially hacked websites).

SecBrowsing does not track Adobe Reader yet because its version is not exposed in the browser. So please go ahead and update Adobe Reader manually:
  • Launch Adobe Reader
  • Help
  • Check for Updates