Uitgavegeschiedenis Adobe Reader

In Adobe Reader 9.3 zijn acht zeer gevaarlijke lekken gedicht die al misbruikt werden door kwaadwillenden.

Verder is de beveiliging verbeterd door de invoering van een aantal restricties en een lijst van vertrouwde locaties. Bovendien kunnen Internet Explorer-gebruikers vertrouwde websites van IE over laten nemen door Adobe Reader.

Ook zijn de waarschuwingsdialogen vervangen door gele informatiebalken. Ten slotte zijn er heel veel kleine fouten opgelost.

De complete release notes:

SECURITY COMPONENTS

The features below are described on http://learn.adobe.com/wiki/display/security/Application+Security+Library.

Enhanced Security

This release will ship with enhanced security on by default. Adobe recommends as a best practice that you keep enhanced security enabled. Enhanced security provides two tools designed to help you protect your environment: a set of default restrictions and a method to define trusted locations that should not be subject to those restrictions. In other words, you can either block dangerous actions altogether or else selectively permit them for locations and files you trust. For more information, please click here. 

Privileged Locations Improvements

Windows users can automatically trust sites that they trust for Internet Explorer by checking Automatically trust sites from my Win OS security zones. In effect, those sites become privileged locations and are exempt from enhanced security restrictions. 

Cross Domain Support

Cross domain logging can be enabled via the user interface. 

The cross domain log can be opened, copied, and cleared via the user interface.

Cross domain policy files support all the mime types specified in the Cross Domain Policy File Specification.

Warning Message and Dialog Improvements

A non-intrusive Yellow Message Bar (YMB) that doesn’t block workflows replaces many of the modal dialogs. 

Yelow Message Bar appears when content attempts to invoke potentially risky behavior such as cross domain access, JavaScript execution, data injection, and playing legacy multimedia types (non-Flash). If the associated feature is not locked down by an administrator, the Yellow Message Bar provides an Options button that offers the user to trust the document “once” or “always” for that feature. For more information, please click here. 

Multimedia Security 

Legacy multimedia support is disabled by default. For media types other than Flash, support must be manually enabled by assigning trust to the file containing the multimedia.

RESOLVED ISSUES 

PDF Maker 

2478552: Fixed an issue where PDFMaker was loading in Office 2010 with 9.x version of Acrobat. 

Viewer 

2485091, 2482589: Fixed a 9.2 Snow Leopard out of memory and crash issue where the progress bar causes extreme performance problems when the progress bar of Acrobat gets refreshed a large number of times during an operation.

2445056: Fixed a 9.2 issue where closing PDF causing a Firefox crash when multiple profiles have been started. When there are multiple instances of Firefox.exe running with the profile option of –no-remote and user tries to close the instance that has a PDF document opened, the user gets “Memory could not be read” error. 

2481139: Fixed a 9.2 issue where Reader loaded forms in the background but didn’t show the busy cursor. 

Web Capture 

2465504: Fixed a 9.2 issue where Web Capture sets check box values as checked by default. HTML tag for Checkbox "value" and State were not getting honored. 

Collaboration 

2465483: Fixed a 9.2 issue where a reviewer’s xml gets overwritten and comments are lost after a user exits and opens the PDF again in shared review, the previous comments were deleted.  

Accessibility 

2464216: Fixed an Adobe Reader 9.2 issue where it did  not trigger the speech synthesizer while clicking on any text fields of the customer PDF form (Jaws 11).

XPS conversion 

2458933: Fixed a 9.1.3 issue where converting XPS file with the XPS2PDF Conversion plug-in yielded an incorrect page layout and missing items in the resulting PDF file.

Security 

2451794: Fixed a 9.1.3 issue where Acrobat did not display the  Save As dialog when the user signs the PDF using digital signature; cannot sign using the Microsoft Base CSP.

2425955: Fixed a 9.1.2 issues where an error encountered while signing: “The Windows Cryptographic Service Provider reported an error. Error code 2148073504” after a number of digital signal signatures have been produced successfully.

3D 

2460633: Fixed a 9.2 issue where importAnXFDF does not import 3D views properly when the XFDF contains views associated with a 3D annotation. 

Annotations 

2451592: Fixed a 9.1.3 issue where no comments can be viewed after saving a document with corrupt annotations. When user does a Save As operation on a PDF with corrupted annotations and then opens other documents in the same Acrobat session, then any annotations on these documents fail to display.

Printing 

2402932: Fixed a 9.1.1 issue where files with large paper sizes are printed blank with the 7500 Xerox driver  when  "choose paper source as PDF size" and "use custom size when needed" are both on. 

2300251: Fixed a 9.1.1 issue where the output is clipped and printed with wrong orientation when printed using "Use custom paper size when needed" and "Choose Paper Source by PDF page size" as ON. 

Forms 

2371660: Fixed a 9.2 issue where when the user invokes web services from within a PDF that are protected using WS Security, the SOAP header in the SOAP request that sent from the server to the PDF doesn't conform to the WSSE specification. Recommended action: No action is required in most cases. If server code was written that checked for the incorrect headers, that code may need to be revisited. 

2445047: Fixed an issue in 9.2 where submitForm causes xml data to be attached as *.tmp when parameter oXML is used and cSubmitAs is set to 'XML'. Customizing the XML data using oXML parameter and then calling submitForm to email the data caused the data to be attached with .tmp attachment rather than .xml attachment. Recommended action: If a server process is receiving and parsing the attachments, look for either a ".tmp" or a ".xml" extension.

Details

This update resolves a use-after-free vulnerability in Multimedia.api that could lead to code execution (CVE-2009-4324).
Note: There are reports that this issue is being actively exploited in the wild; the exploit targets Adobe Reader and Acrobat 9.2 on Windows platforms.

This update resolves an array boundary issue in U3D support that could lead to code execution (CVE-2009-3953).
Note: This issue had been incorrectly identified as a previously fixed vulnerability (CVE-2009-2994) in the Metasploit framework.

This update resolves a DLL-loading vulnerability in 3D that could allow arbitrary code execution (CVE-2009-3954).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2009-3955).

This update mitigates a script injection vulnerability by changing the Enhanced Security default (CVE-2009-3956).

This update resolves a null-pointer dereference vulnerability that could lead to denial of service (CVE-2009-3957).

This update resolves a buffer overflow vulnerability in the Download Manager that could lead to code execution (CVE-2009-3958).

This update resolves an integer overflow vulnerability in U3D support that could lead to code execution (CVE-2009-3959).