Unfortunately Adobe hasn't provided instructions on how to verify that the patch is actually installed.

It would have been very helpful if they had updated the Help > About Adobe Reader 8 menu item.

Unfortunately Adobe hasn't provided instructions on how to verify that the patch is actually installed.

It would have been very helpful if they had updated the Help > About Adobe Reader 8 menu item.

Anyone know if there's an update for the linux port of Adobe Reader? Brian's article and the linked page on Adobe's site do not mention anything about linux versions, though Adobe says the vulnerability affects all platforms.

According to Adobe Linux isn't affected but that is disputed by some bloggers, so go figure. You could just download the latest version of Adobe reader and stay safe. Palonek Security Wiki http://www.paloneks.ca/

@HoCo

I sent an E-mail to Adobe yesterday, asking the same question (is the Linux version affected?), but so far have no response. I sent an note to the SANS handlers' list, too, but no response there, either. (Is it something I said? ;-)

I am going to try Mr. Palonek's suggestion of downloading the latest Linux version. I have the Debian package that I originally used to install Adobe Reader 8.1.2, and I'll see if anything's different. That, of course, does not resolve the question of whether an update for the Linux version is needed, but it will determine whether downloading the latest version can make any difference. I'll let you know what I find out.

@HoCo
I just downloaded the Debian package for Adobe Reader 8.1.2:

AdobeReader_enu-8.1.2-1.i386.deb

from Adobe's site. Using cmp(1), it's byte-wise identical to the version I downloaded back in February, so I very much doubt that anything has changed.

@Rich Gibbs

Thanks for checking that out. So it looks like either this flaw does not affect linux versions of Reader, or Adobe just haven't gotten around to patching it yet. Unfortunately, the NIST site is currently unreachable (at least for me), so I can't hunt for additional info over there.

Adobe has a history of updating products but not reflecting that
change in their splash/about screen. They did this more than once
on the unix side.

You can see the patch in Add/Remove programs if you check the
"show updates" box.

From the Adobe bulletin:
>>Details
>>This update resolves an input validation issue in a JavaScript method that could potentially lead to remote code execution.

{sigh} Why not just disable JavaScript in Adobe Reader and be done with it?
http://www.kb.cert.org/vuls/id/788019

@Mark Odell
"Why not just disable JavaScript in Adobe Reader and be done with it?"

As a general suggestion, that's a good idea, for the same reasons I use the NoScript extension in Firefox. Another alternative for garden-variety PDF viewing is to use a tool (like 'xpdf' on Linux) that doesn't support JavaScript at all. Brian Krebs regularly recommends using an alternative (Foxit Reader) to the elephantine Adobe Reader. I don't know whether it supports JavaScript or not; if not, that would be another good reason to make it one's default on Windows.

But this is not a complete solution for everyone. There are some PDF documents (interactive forms, commonly) that use JavaScript for legitimate purposes. For example, I'm the treasurer of a non-profit organization. There are forms that we have to file with the IRS that use JavaScript. My only alternative is to print the whole form (25+ pages) and fill it out by hand, which is not a particularly appealing prospect -- especially when it's something that has to be done regularly.

@Zube

Many thanks for the tip about verifying patch installation.

Here's a little twist. The Secunia online scanner isn't recognizing the installation of the patch on two different Vista business stations here. The Adobe updater shows no updates available and the update is listed under installed updates in Windows.

Hi,

I have Adobe Reader 8.1.2 deployed via GPO in our Active Directory. Any hints how to delploy this path with that GPO?

@Zube

Thank you very much.

I found the same problem that Romel did: no way to verfy that the "Adobe Reader 8.1.2 Security Update 1" patch was actually installed.

Thanks to you, I learned to use the "show updates" box at "Add/Remove programs."

Thanks again.

@Zube

Thank you very much.

I found the same problem that Romel did: no way to verify that the "Adobe Reader 8.1.2 Security Update 1" patch was actually installed.

Thanks to you, I learned to use the "show updates" box at "Add/Remove programs."

Thanks again.

Rich,

>>Brian Krebs regularly recommends using an alternative (Foxit Reader) to the elephantine Adobe Reader. I don't know whether it supports JavaScript or not

According to him, it does not.
http://blog.washingtonpost.com/securityfix/2008/05/security_fixes_in_foxit_update.html

>>But this is not a complete solution for everyone.

Agreed; but for the vast majority of people who just want to read a given PDF file, instead of futzing around with updates and depending on them to fix the problem, thirty seconds of disabling JavaScript in Adobe Reader relieves them of having to worry about whether or not opening it will run a malicious script.

>>There are some PDF documents (interactive forms, commonly) that use JavaScript for legitimate purposes. For example, I'm the treasurer of a non-profit organization. There are forms that we have to file with the IRS that use JavaScript.

And that means you're aware that you need to run JavaScript in some PDF files; whereas my point is that most people aren't aware that they don't need to run JavaScript in all PDF files. (Just to clarify, I have no objection to people enabling JavaScript if they find they need it.)

Following Brian's recommendations to previously install Foxit Reader in lieu of Adobe, once you install Foxit, it hijacks all Adobe downloads.

I hate having software that only PARTIALLY works. The Adobe Reader is just that and no more, hereras Foxit has numerous POTENTIAL capabilities, that once you click on them, it tells you to BUY the remaining software if you want that feature.

I blogged about this at CNET.
http://news.cnet.com/8301-13554_3-9979638-33.html

According to Adobe, you can verify that your copy of the Adobe Reader is the latest and greatest with: Help -> About Adobe Plugins -> Comments. The date for the API should be 6/7/2008. This works on both Windows and Macs.

Linux is vulnerable, according to Adobe, but a fix is expected in July. Windows 2000 is also vulnerable to the problem, but the patch is now available - even though the Adobe Security Bulletin fails to mention this.

See: Release notes for Adobe Reader and Acrobat 8.1.2 SU1 security update
http://www.adobe.com/go/kb403742