=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN068
_____________________________________________________________________

DATE                      : 19/02/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Adobe Reader, Adobe Acrobat.

======================================================================
http://www.adobe.com/support/security/bulletins/apsb10-07.html
______________________________________________________________________

Security updates available for Adobe Reader and Acrobat

Release date: February 16, 2010

Vulnerability identifier: APSB10-07

CVE numbers: CVE-2010-0188, CVE-2010-0186

Platform: All Platforms

Summary

A critical vulnerability has been identified in Adobe Reader 9.3 for Windows,
Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe
Reader 8.2 and Acrobat 8.2 for Windows and Macintosh. As described in Security
Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain
sandbox and make unauthorized cross-domain requests. In addition, a critical
vulnerability (CVE-2010-0188) has been identified that could cause the
application to crash and could potentially allow an attacker to take control
of the affected system.

Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows,
Macintosh and UNIX update to Adobe Reader 9.3.1. (For Adobe Reader users on
Windows and Macintosh who cannot update to Adobe Reader 9.3.1, Adobe has
provided the Adobe Reader 8.2.1 update.) Adobe recommends users of Adobe
Acrobat 9.3 and earlier versions for Windows and Macintosh update to Adobe
Acrobat 9.3.1. Adobe recommends users of Acrobat 8.2 and earlier versions for
Windows and Macintosh update to Acrobat 8.2.1.

Affected software versions

Adobe Reader 9.3 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh

Solution

Adobe Reader
Users can utilize the product's automatic update facility. The default
installation configuration runs automatic updates on a regular schedule, and
can be manually activated by choosing Help > Check For Updates Now.

Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/products/reader/unix9/ (download latest update from 9.3.1
folder).

Adobe Acrobat
Users can utilize the product's automatic update facility. The default
installation configuration runs automatic updates on a regular schedule, and
can be manually activated by choosing Help > Check For Updates Now.

Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.

Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.
Severity rating

Adobe categorizes this as a critical update and recommends that users apply the
update for their product installations.

Details

A critical vulnerability has been identified in Adobe Reader 9.3 for Windows,
Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe
Reader 8.2 and Acrobat 8.2 for Windows and Macintosh. As described in Security
Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain
sandbox and make unauthorized cross-domain requests. In addition, a critical
vulnerability (CVE-2010-0188) has been identified that could cause the
application to crash and could potentially allow an attacker to take control of
the affected system.

Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows,
Macintosh and UNIX update to Adobe Reader 9.3.1. (For Adobe Reader users on
Windows and Macintosh who cannot update to Adobe Reader 9.3.1, Adobe has
provided the Adobe Reader 8.2.1 update.) Adobe recommends users of Adobe
Acrobat 9.3 and earlier versions for Windows and Macintosh update to Adobe
Acrobat 9.3.1. Adobe recommends users of Acrobat 8.2 and earlier versions for
Windows and Macintosh update to Acrobat 8.2.1.

Acknowledgements

Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect our
customers:

    * Michael Yong Park (CVE-2010-0186)
    * Microsoft Vulnerability Research Program (MSVR) (CVE-2010-0188)
======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================