Vulnerability Note VU#257117
Adobe Reader and the Adobe Acrobat family of software are designed to create, view, and edit Portable Document Format (PDF) files. Adobe Reader is widely deployed, and the Acrobat Reader Plug-In displays PDF inside a web browser.
Enable Data Execution Prevention (DEP) in Microsoft Windows
Prevent Internet Explorer from automatically opening PDF documents
The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00
Disable the displaying of PDF documents in the web browser
Preventing PDF documents from opening inside a web browser reduces attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities.
To prevent PDF documents from automatically being opened in a web browser with Adobe Reader:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Adobe||Affected||04 Sep 2009||13 Oct 2009|
CVSS Metrics (Learn More)
Thanks to Richard van Eeden of IOActive, for reporting this issue.
This document was written by Chad R Dougherty.
- CVE IDs: CVE-2009-2993
- Date Public: 01 Sep 2009
- Date First Published: 13 Oct 2009
- Date Last Updated: 27 Oct 2009
- Document Revision: 15
If you have feedback, comments, or additional information about this vulnerability, please send us email.