Patch updates have been issued for Adobe Reader 9 and Acrobat 9.


A critical vulnerability has been identified that would cause the application to crash and could potentially allow an attacker to take control of the affected system. Adobe claimed that there are reports that this issue is being exploited and recommended users update to Adobe Reader 9.1 and Acrobat 9.1.


It is also planning to make available updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, by 18th March. In addition, Adobe plans to make available Adobe Reader 9.1 for Unix by 25th March.


Adobe security program manager David Lenoe, said: “We have seen reports that disabling JavaScript in Adobe Reader and Acrobat can protect users from this issue. Disabling JavaScript provides protection against currently known attacks. However, the vulnerability is not in the scripting engine and, therefore, disabling JavaScript does not eliminate all risk.”


US-CERT encouraged users to review the Adobe security bulletin APSB09-03 and update to Adobe Reader 9.1 and Acrobat 9.1. It said: “Adobe has released Reader 9.1 and Acrobat 9.1 to address a vulnerability. This vulnerability is due to a buffer overflow condition that exists in the way Adobe Acrobat Reader handles JBIG2 streams.


“Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Adobe has indicated that it is aware of reports of active exploitation.”