__________________________________________________________
 
                       The U.S. Department of Energy
                    Cyber Incident Response Capability
                  __   __   __       ___ __ __ ___    ___
                 |  \ |  | |_   __  /      |   |__|  /
                 |__/ |__| |__      \___ __|__ |   \ \___
        __________________________________________________________


                             INFORMATION BULLETIN

                Security Update for Adobe Reader 8 and Acrobat 8
                                  [apsb08-19]

November 6, 2008 14:00 GMT                                        Number T-020
______________________________________________________________________________
PROBLEM:       Critical vulnerabilities have been identified in Adobe Reader 
               and Acrobat 8.1.2 and earlier versions. These vulnerabilities 
               would cause the application to crash and could potentially 
               allow an attacker to take control of the affected system. 
PLATFORM:      Adobe Reader 8.1.2 and earlier versions Adobe Acrobat 
               Professional, 3D and Standard 8.1.2 and earlier versions 
DAMAGE:        DoS and could potentiallly allow an attacker to take control of 
               the affected system. 
SOLUTION:      Upgrade to the appropriate version. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. A remote intruder who can get a user to 
ASSESSMENT:    open a malicious pdf file could run code as the logged-in user. 
______________________________________________________________________________
CVSS 2 BASE SCORE: 5.1 
 TEMPORAL SCORE:   4.0 
 VECTOR:           (AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C) 
______________________________________________________________________________
LINKS: 
 DOE-CIRC BULLETIN:  http://doecirc.energy.gov/ciac/bulletins/t-020.shtml 
 ORIGINAL BULLETIN:  http://www.adobe.com/support/security/bulletins/apsb08-19.html 
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CVE-2008-2992 CVE-2008-2549 CVE-2008-4812 CVE-2008-4813 
                     CVE-2008-4817 CVE-2008-4816 CVE-2008-4814 CVE-2008-4815 
______________________________________________________________________________
[***** Start Adobe Security Advisory: apsb08-19 *****]

Security Update available for Adobe Reader 8 and Acrobat 8
Release date: November 4, 2008 

Vulnerability identifier: APSB08-19 

CVE number: CVE-2008-2992, CVE-2008-2549, CVE-2008-4812, CVE-2008-4813, CVE-2008-4817, 
            CVE-2008-4816, CVE-2008-4814, CVE-2008-4815

Platform: All Platforms

Summary
Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and 
earlier versions. These vulnerabilities would cause the application to crash and could 
potentially allow an attacker to take control of the affected system.

Adobe Reader 9 and Acrobat 9 are not vulnerable to these issues. Adobe recommends users 
of Acrobat 8 and Adobe Reader 8 who can’t update to Adobe Reader 9 install the 8.1.3 
update to protect themselves from potential vulnerabilities.

Affected software versions
Adobe Reader 8.1.2 and earlier versions
Adobe Acrobat Professional, 3D and Standard 8.1.2 and earlier versions 

Solution
Adobe Reader

Adobe recommends Adobe Reader users update to Adobe Reader 9, available here:
http://www.adobe.com/go/getreader

Users with Adobe Reader 8.0 through 8.1.2, who can’t update to Adobe Reader 9, should 
update to Adobe Reader 8.1.3:
http://www.adobe.com/go/getreader

Acrobat 8

Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.3, available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows 

Adobe recommends Acrobat 8 users on Macintosh update to Acrobat 8.1.3, available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh 

Adobe recommends Acrobat 3D Version 8 users on Windows update to Acrobat 3D Version 
  8.1.3, available here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows 

Severity rating
Adobe categorizes this as a critical issue and recommends that users apply the update 
for their product installations. 

Details
Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and 
earlier versions. These vulnerabilities would cause the application to crash and 
could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Acrobat and Adobe Reader update their product installations 
using the instructions above to protect themselves from potential vulnerabilities. 

This update resolves multiple input validation errors that could potentially lead 
to code execution. (CVE-2008-4812)

This update resolves multiple input validation issues that could potentially lead 
to remote code execution. (CVE-2008-4813)

This update resolves an input validation issue in a JavaScript method that could 
potentially lead to remote code execution. (CVE-2008-2992)

An input validation issue in the Download Manager used by Adobe Reader that could 
potentially lead to remote code execution during the download process has been 
resolved. (CVE-2008-4817)

A Windows-only issue in the Download Manager used by Adobe Reader that could lead to a 
user’s Internet Security options being changed during the download process has been 
resolved. (CVE-2008-4816)

This update resolves an input validation issue in a JavaScript method that could 
potentially lead to remote code execution. (CVE-2008-4814)

This update resolves a potential Unix-only privilege escalation issue (CVE-2008-4815)

This update resolves a publicly-published denial of service issue. (CVE-2008-2549) 

Acknowledgments
Adobe would like to thank the following individuals and organizations for reporting 
the relevant issues and for working with Adobe to help protect our customers' security:


Greg MacManus of iDefense Labs (CVE-2008-4812) 
Peter Vreugdenhil reported through TippingPoint's Zero Day Initiative, Dyon 
  Balding of Secunia Research, Will Dormann of CERT/CC, Damian Frizza of Core 
  Security Technologies, and Greg MacManus of iSIGHT Partners Labs (CVE-2008-2992) 
Peter Vreugdenhil reported through iDefense (CVE-2008-4817) 
An anonymous contributor reported through iDefense (CVE-2008-4812) 
Javier Vicente Vallejo reported through TippingPoint's Zero Day Initiative 
  (CVE-2008-4813) 
Peter Vregdenhil reported through TippingPoint's Zero Day Initiative 
  (CVE-2008-4813) 
Thomas Garnier of SkyRecon Systems (CVE-2008-4814) 
Josh Bressers of Red Hat (CVE-2008-4815) 


[***** End Adobe Security Advisory: apsb08-19 *****]
_______________________________________________________________________________

DOE-CIRC wishes to acknowledge the contributions of Adobe for the 
information contained in this bulletin.
_______________________________________________________________________________


DOE-CIRC provides the U.S. Department of Energy with incident response, 
reporting, and tracking, along with other computer security support. 
DOE-CIRC is a member of GFIRST, the Government Forum of Incident 
Responders and Security Teams and FIRST an international incident 
response and security organization. 

DOE-CIRC services are available to DOE and DOE contractors. DOE-CIRC
can be contacted at:
    Voice:    +1 866-941-2472 (7x24)
    FAX:      +1 702-932-0189
    STU-III:  Call the voice number.
    E-mail:   doecirc@doecirc.energy.gov

Previous DOE-CIRC notices, anti-virus software, and other information are
available from the DOE-CIRC Computer Security Archive.

   World Wide Web:      http://www.doecirc.energy.gov/

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive DOE-CIRC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with DOE-CIRC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor any agency thereof, nor any of their employees, 
makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial product,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or
any agency thereof. The views and opinions of originators expressed
herein do not necessarily state or reflect those of the United States
Government or any agency thereof.

LAST 10 DOE-CIRC Bulletins

S-213: Nukedit 'email' Parameter Vulnerability
S-214: SurgeMail and WebMail 'Page' Command Vulnerability
S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities
S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability
S-217: Drupal Multiple HTML Vulnerabilities
S-218: gd Security Update
S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability
S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability
S-221: Learn2 STRunner ActiveX Control Vulnerabilities
S-222: Evolution Security Update