Adobe Security Advisory on Adobe Reader and Acrobat (APSB09-15)

Adobe has released a new security advisory affecting Adobe Reader and Acrobat v9.1.3 and earlier.

Security Advisory for Adobe Reader and Acrobat
Release date: October 8, 2009
Vulnerability identifier: APSB09-15
CVE number: CVE-2009-3459
Platform: All

Adobe is planning to release an update for Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh to resolve critical security issues. Adobe expects to make this update available on October 13, 2009. This update represents the second quarterly security update for Adobe Reader and Acrobat.

Among other issues, this update will resolve a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier (CVE-2009-3459) on Windows, Macintosh and UNIX. There are reports that this issue is being exploited in the wild in limited targeted attacks; the exploit targets Adobe Reader and Acrobat 9.1.3 on Windows. Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista are protected from this exploit. Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible. In the meantime, Adobe is also in contact with Antivirus and Security vendors regarding the issue and recommends users keep their anti-virus definitions up to date.

We wish to thank Chia-Ching Fang and the Information and Communication Security Technology Center for their help with reporting and investigating this issue (CVE-2009-3459).

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: or by subscribing to the RSS feed here:

(Note: This Security Advisory will be replaced with the final Security Bulletin upon release on October 13, 2009.)

Affected software versions
Adobe Reader 9.1.3 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.1.3 and earlier versions for Windows and Macintosh

Severity rating
Adobe categorizes this as a critical update.

Leave a Reply