-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0021 Title: Security Advisory for Adobe Reader and Acrobat [1] Version history: 13.02.2013 Initial publication Summary ======= Adobe has identified two critical vulnerabilities affecting Adobe Reader and Acrobat for Windows and Macintosh: CVE-2013-0640: allow remote attackers to execute arbitrary code via a crafted PDF document. CVSS v2 Base Score:9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) [2] CVE-2013-0641: allow remote attackers to execute arbitrary code via a crafted PDF document. CVSS v2 Base Score:9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) [3] These vulnerabilities can be exploited in targeted attacks through malicious PDF sent by e-mail. Vulnerable systems ================== Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh What can you do? ================ Adobe is in the process of working on fixes for these issues, in the meantime, users of Adobe Reader XI and Acrobat XI for Windows can protect themselves from this exploit by enabling Protected View. To enable this setting, choose the "Files from potentially unsafe locations" option under the Edit > Preferences > Security (Enhanced) menu. What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] http://www.adobe.com/support/security/advisories/apsa13-02.html [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0640 [3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0641 Best regards, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJRIkgIAAoJEPpzpNLI8SVoeqwP/i3J3/03f8R6gwZB5rF5qIg9 d89GeEwygUnNeWSDqWBcTeYjAwKdViGZPTlGMesMO5Ud3VUnFQYo9StoPKbZJ/8P 86NXPGLtUZCWIPmE5e6Kd2sa2s6QJJFXMREFEuTEi10Vq14D6vDJgcV+ii4oQ7nr tk4KghZbpvlxvX4T4WNXM/HlLVIdvWvmM8mOeAcWA5ZG/UzNh8vknKh5aCej1KzS BJRtIANwJN8hiSLmbD4BLP3iw5OjqCPCen/DdsDORtUVbv6jhZhiwl41D7FMjbvD ooLvxPTYSJjHBTxdu9ECEvhLkzxTjNUFb10z3tjA/nqE9U9Rk0l1mJTv0HjncO/F HzsmeSlwpu37qmxpY1wQEc2jdiC+9Vn3b/DtJ5fDnxIUMuWActnHOKUoaqE95rE8 7c8E69D9RFMdZzkghySZcrYTUxPXHTEwTNGpwdB+5Vq6gMfmvUFIFRcnUiOAhtpD SytD8gx0BWo92Au7vHkMBZ8OubOSeKCUX4hfHpYbNZ/WbAayh2VwZxumItd/SjET BJ7dVjC0+a0+gzxAtV6jn6zLM9/h7tMrrWwf1CfUKUfmMW4ymKVYjCVvep5SYXfx 8W9CWcpwIuSXDWx3m7Gz3+drB6XkD10EILS5Zqv/Pvta4ufEVmOYKZZ71XTnDZsy g/KA9pjrrEkaJTBPSxg+ =zsDl -----END PGP SIGNATURE-----