=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN221
_____________________________________________________________________

DATE                      : 10/06/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Adobe Reader 9, Adobe Acrobat 9.

======================================================================
http://www.adobe.com/support/security/bulletins/apsb09-07.html
______________________________________________________________________

Security Updates available for Adobe Reader and Acrobat

Release date: June 9, 2009

Vulnerability identifier: APSB09-07

CVE number: CVE-2009-0198, CVE-2009-0509, CVE-2009-0510, CVE-2009-0511,
            CVE-2009-0512, CVE-2009-0888, CVE-2009-0889, CVE-2009-1855,
            CVE-2009-1856, CVE-2009-1857, CVE-2009-1858, CVE-2009-1859,
            CVE-2009-1861

Platform: All Platforms

Summary

Critical vulnerabilities have been identified in Adobe Reader 9.1.1 and
Acrobat 9.1.1 and earlier versions. These vulnerabilities would cause the
application to crash and could potentially allow an attacker to take control
of the affected system.

Adobe recommends users of Adobe Reader 9 and Acrobat 9 and earlier versions
update to Adobe Reader 9.1.2 and Acrobat 9.1.2. Adobe recommends users of
Acrobat 8 update to Acrobat 8.1.6, and users of Acrobat 7 update to Acrobat
7.1.3. For Adobe Reader users who cant update to Adobe Reader 9.1.2, Adobe
has provided the Adobe Reader 8.1.6 and Adobe Reader 7.1.3 updates.  Updates
apply to Windows and Macintosh.  Security updates for Adobe Reader on the
UNIX platform will be available on June 16, 2009; this Bulletin will be
updated to reflect their availability on that date.

This update incorporates the initial output of code hardening efforts
discussed in a May 20 Adobe ASSET (Adobe Secure Software Engineering Team)
blog post, as well as externally reported issues, as detailed below.

Affected software versions

Adobe Reader 9.1.1 and earlier versions
Adobe Acrobat Standard, Pro, and Pro Extended 9.1.1 and earlier versions

Solution

Adobe Reader

Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Acrobat

Acrobat Standard, Pro and Pro Extended users on Windows can find the
appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.

Severity rating

Adobe categorizes this as a critical update and recommends that users apply
the update for their product installations.

Details

Critical vulnerabilities have been identified in Adobe Reader 9.1.1 and
Acrobat 9.1.1 and earlier versions. These vulnerabilities would cause the
application to crash and could potentially allow an attacker to take control
of the affected system.

Adobe recommends users of Adobe Reader and Acrobat update their product
installations to versions 9.1.2, 8.1.6, or 7.1.3 using the instructions
above to protect themselves from potential vulnerabilities.  The above
updates apply to Windows and Macintosh. Security updates for Adobe Reader on
the UNIX platform will be available on June 16, 2009; this Bulletin will be
updated to reflect their availability on that date.

This update resolves a stack overflow vulnerability that could potentially
lead to code execution (CVE-2009-1855).

This update resolves an integer overflow that leads to a Denial of Service
(DoS); arbitrary code execution has not been demonstrated, but may be
possible (CVE-2009-1856).

This update resolves a memory corruption vulnerability that leads to a
Denial of Service (DoS); arbitrary code execution has not been demonstrated,
but may be possible (CVE-2009-1857).

This update resolves a memory corruption vulnerability in the JBIG2 filter
that could potentially lead to code execution (CVE-2009-1858).

This update resolves a memory corruption vulnerability that could
potentially lead to code execution (CVE-2009-1859).

This update resolves a memory corruption vulnerability in the JBIG2 filter
that leads to a Denial of Service (DoS); arbitrary code execution has not
been demonstrated, but may be possible (CVE-2009-0198).

This update resolves multiple heap overflow vulnerabilities in the JBIG2
filter that could potentially lead to code execution (CVE-2009-0509,
CVE-2009-0510, CVE-2009-0511, CVE-2009-0512, CVE-2009-0888, CVE-2009-0889).

This update resolves multiple heap overflow vulnerabilities that could
potentially lead to code execution (CVE-2009-1861).

Additionally, this update resolves Adobe internally discovered issues.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================