| « Microsoft Security Advisory (953818) - Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform |
Adobe patches mysterious Reader bugs
02/06/08 18:06, by Brett A. Scudder, Categories: The ThreatTrix - IT Security Alerts and Advisories, Adobe's Alerts and Advisories Adobe patches mysterious Reader bugs
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9061299
Gregg Keizer
February 06, 2008 (Computerworld) Adobe Systems Inc. patched its free Reader software today, saying that it was quashing “a number of … security vulnerabilities.” But in what some saw as a change from past practice, the company did not provide any information to users on the bugs it found and fixed.
Adobe Reader 8.1.2 addresses 27 items, most of which appeared to be usability problems, with a few stability issues tossed in for good measure, said the San Jose-based company. None of the 27 fixes listed in the 8.1.2 Release Notes called out a security vulnerability.
The lack of information about the purported bugs patched in 8.1.2 surprised some security researchers. “Curiously, no further details are available about the security update, which is not the norm for Adobe,” said Thomas Kristensen, the chief technology officer at Copenhagen-based vulnerability tracker Secunia APS.
Adobe was much more verbose in its explanations the last time it updated Reader. In October 2007, for example, when it patched Reader for a vulnerability that exposed most Windows XP users to exploits in malicious Portable Document Format files, the company published a support document that described the fixes in considerable detail and labeled the single security vulnerability as such.
However, Andrew Storms, director of security operations at nCircle Inc., didn’t see the move as a change. “My first thought is that it’s no big deal,” said Storms. “Vendors like Adobe have no historically standardized way of presenting information, which is in great contrast with Microsoft, which is very rigid about what and how it presents information.
“From Microsoft, we know what to expect each month,” Storms said. “And Oracle is another [vendor] that has done a great service for the industry by standardizing. But Adobe has not done that.” The differences between October and today, he continued, might be attributable to something as mundane as someone different at Adobe writing up the bulletin.
According to Secunia, there is only one outstanding vulnerability in Reader that has not yet been patched – an information-disclosure bug that harks back to early March 2007. None of the more than two-dozen problems acknowledged by Adobe, however, match the description of the unpatched bug.
Adobe did not responds to questions about the information it has posted – and not posted – around the release of Reader 8.1.2.
The new version, which can be downloaded from the Adobe Web site or retrieved using the updater bundled with Reader, targets Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Mac OS X 10.4.3 and later.
4 comments
Well it didn’t take long for this to grow into a major issue that is now affecting many people in various areas. The malicious banners exploit is producing known threats, Trojan.Zonebac, Trojan.Pidief.C, Exploit-PDF.b and more names coming as AV and AS vendors are jumping on it.
Some mitigation recommendations being shared includes,
Updating to the latest version of Adobe products that are vulnerable (a no brainer)
Wiping the systems if infected due to the ways in which the infection/payload hits the system.
Using Foxitsoftware's Foxit PDF solutions http://www.foxitsoftware.com
The impact seems the same across all the user bases we’ve had reports from. Once in the network, this spreads in various ways and so we are not yet sure of how the threat is proliferating but we’re certain it is growing.
Here are some references to the vulnerability and my suggestion is that you upgrade as soon as possible. The wide use of PDF files heightens the threats ability to infect and proliferate at rapid rates. We will continue to cover this while it develops in an effort to help everyone in getting secured against it.
Since Jan. 20, 2008, banner ads have actively served malicious PDF files that exploit the vulnerability and install the Zonebac Trojan horse. Once installed, the Trojan kills various antivirus products and modifies search results and banner ads. A similar attack occurred in October 2007 when the same group used a Realplayer zero-day exploit to install the Zonebac Trojan.
No anti-virus vendors currently detect the malicious PDF files. This type of exploit can be used in Web browser and email attack vectors. This vulnerability affects Adobe Acrobat Reader v7.x and versions prior to 8.1.2. Complete mitigation requires upgrading to Adobe Acrobat 8.1.2.
Acrobat product interoperability: Install and remove Acrobat 7.0.x (Windows) http://kb.adobe.com/selfservice/viewContent.do?externalId=326272&sliceId=2
Security update available for Adobe Reader and Acrobat 8 http://www.adobe.com/support/security/advisories/apsa08-01.html
iDefense
http://www.sunbelt-software.com/ihs/alex/iDefense_PressKit_PDFExloitation_20080208_20_282_29.pdf
Adobe Reader Security Provider Unsafe Library Path Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=655
Sunbelt’s CEO Blogs
If you have Adobe Acrobat 7 or 8, make sure it's updated http://sunbeltblog.blogspot.com/2008/02/if-you-have-adobe-acrobat-7-or-8-makes.html
Vulnerability Timeline:
09/25/2007 Initial vendor notification
09/25/2007 Initial vendor response
10/26/2007 Request for status
10/26/2007 Status - Est. early January
01/04/2008 Request for status
01/04/2008 Status - Scheduled early February
01/28/2008 Adobe plans patch for 8, but not 7
01/30/2008 Concerns about the plan e-mailed to Adobe
01/31/2008 Telephone call to clarify concerns
02/06/2008 Adobe releases 8.1.2
02/07/2008 Adobe publishes APSA08-01
02/08/2008 Public disclosure
• Adobe Reader Buffer Overflow Vulnerability (iDefense orig.) (ID#464641, Oct. 10, 2007)
• Virus Report ( http://www.pcprimipassi.it/servizifree/forum/forum_posts.asp?TID=10066, Jan. 20, 2008)
• Adobe Acrobat 8.1 Undisclosed Buffer Overflow Vulnerability (ID#467355, Feb. 6, 2008)
• Immunity POC Exploit ( http://www.immunityinc.com/partners-index.shtml, Feb. 6, 2008)
• Adobe Security Advisory APSA08-01 ( http://www.adobe.com/support/security/advisories/apsa08-01.html, Feb. 7, 2008)
• iDefense Receives Hostile PDF Sample (Feb. 7, 2008)
• Adobe Reader Vulnerability Exploitation in the Wild (ID# 467384, Feb. 8, 2008)
• iDefense Customer Notification (ID#467398, Feb. 8, 2008)
As we are all affected by it directly or indirectly, can we all share whatever information and updates we get so others can benefit from it.
Thank you,
~Brett A. Scudder~
Some mitigation recommendations being shared includes,
Updating to the latest version of Adobe products that are vulnerable (a no brainer)
Wiping the systems if infected due to the ways in which the infection/payload hits the system.
Using Foxitsoftware's Foxit PDF solutions http://www.foxitsoftware.com
The impact seems the same across all the user bases we’ve had reports from. Once in the network, this spreads in various ways and so we are not yet sure of how the threat is proliferating but we’re certain it is growing.
Here are some references to the vulnerability and my suggestion is that you upgrade as soon as possible. The wide use of PDF files heightens the threats ability to infect and proliferate at rapid rates. We will continue to cover this while it develops in an effort to help everyone in getting secured against it.
Since Jan. 20, 2008, banner ads have actively served malicious PDF files that exploit the vulnerability and install the Zonebac Trojan horse. Once installed, the Trojan kills various antivirus products and modifies search results and banner ads. A similar attack occurred in October 2007 when the same group used a Realplayer zero-day exploit to install the Zonebac Trojan.
No anti-virus vendors currently detect the malicious PDF files. This type of exploit can be used in Web browser and email attack vectors. This vulnerability affects Adobe Acrobat Reader v7.x and versions prior to 8.1.2. Complete mitigation requires upgrading to Adobe Acrobat 8.1.2.
Acrobat product interoperability: Install and remove Acrobat 7.0.x (Windows) http://kb.adobe.com/selfservice/viewContent.do?externalId=326272&sliceId=2
Security update available for Adobe Reader and Acrobat 8 http://www.adobe.com/support/security/advisories/apsa08-01.html
iDefense
http://www.sunbelt-software.com/ihs/alex/iDefense_PressKit_PDFExloitation_20080208_20_282_29.pdf
Adobe Reader Security Provider Unsafe Library Path Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=655
Sunbelt’s CEO Blogs
If you have Adobe Acrobat 7 or 8, make sure it's updated http://sunbeltblog.blogspot.com/2008/02/if-you-have-adobe-acrobat-7-or-8-makes.html
Vulnerability Timeline:
09/25/2007 Initial vendor notification
09/25/2007 Initial vendor response
10/26/2007 Request for status
10/26/2007 Status - Est. early January
01/04/2008 Request for status
01/04/2008 Status - Scheduled early February
01/28/2008 Adobe plans patch for 8, but not 7
01/30/2008 Concerns about the plan e-mailed to Adobe
01/31/2008 Telephone call to clarify concerns
02/06/2008 Adobe releases 8.1.2
02/07/2008 Adobe publishes APSA08-01
02/08/2008 Public disclosure
• Adobe Reader Buffer Overflow Vulnerability (iDefense orig.) (ID#464641, Oct. 10, 2007)
• Virus Report ( http://www.pcprimipassi.it/servizifree/forum/forum_posts.asp?TID=10066, Jan. 20, 2008)
• Adobe Acrobat 8.1 Undisclosed Buffer Overflow Vulnerability (ID#467355, Feb. 6, 2008)
• Immunity POC Exploit ( http://www.immunityinc.com/partners-index.shtml, Feb. 6, 2008)
• Adobe Security Advisory APSA08-01 ( http://www.adobe.com/support/security/advisories/apsa08-01.html, Feb. 7, 2008)
• iDefense Receives Hostile PDF Sample (Feb. 7, 2008)
• Adobe Reader Vulnerability Exploitation in the Wild (ID# 467384, Feb. 8, 2008)
• iDefense Customer Notification (ID#467398, Feb. 8, 2008)
As we are all affected by it directly or indirectly, can we all share whatever information and updates we get so others can benefit from it.
Thank you,
~Brett A. Scudder~
02/12/08 @ 11:42
Comment from: Chris [Visitor]
thanks for the heads up Brett, ...applying updates "as we speak"...
02/12/08 @ 12:07
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Symantec Vulnerability Alert
Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities
Bugtraq ID 27641
CVE CVE-2007-5659(Candidate), CVE-2008-0655(Candidate)
Published Feb 06 2008
Last Update 02/12/2008 3:38:08 PM GMT
Remote Yes
Local No
Credibility Vendor Confirmed
Classification Unknown
Ease No Exploit Required
Availability User Initiated
Authentication Not Required
Impact 8 Severity 8.3 Urgency Rating 8.9
Last Change Urgency raised due to active exploitation; references
updated; US-CERT alert TA08-043A added.
Vulnerable Systems
- ------------------
Adobe Acrobat 3D
Adobe Acrobat Professional 7.0.0
Adobe Acrobat Professional 7.0.1
Adobe Acrobat Professional 7.0.2
Adobe Acrobat Professional 7.0.3
Adobe Acrobat Professional 7.0.4
Adobe Acrobat Professional 7.0.5
Adobe Acrobat Professional 7.0.6
Adobe Acrobat Professional 7.0.7
Adobe Acrobat Professional 7.0.8
Adobe Acrobat Professional 8.0
Adobe Acrobat Professional 8.1
Adobe Acrobat Professional 8.1.1
Adobe Acrobat Reader 3.0.0
Adobe Acrobat Reader 4.0.0
Adobe Acrobat Reader 4.0.0 5
Adobe Acrobat Reader 4.0.0 5c
Adobe Acrobat Reader 4.0.5 A
Adobe Acrobat Reader 5.0.0
Adobe Acrobat Reader 5.0.10
Adobe Acrobat Reader 5.0.5
Adobe Acrobat Reader 5.1.0
Adobe Acrobat Reader 6.0.0
Adobe Acrobat Reader 6.0.1
Adobe Acrobat Reader 6.0.2
Adobe Acrobat Reader 6.0.3
Adobe Acrobat Reader 6.0.4
Adobe Acrobat Reader 7.0.0
Adobe Acrobat Reader 7.0.1
Adobe Acrobat Reader 7.0.2
Adobe Acrobat Reader 7.0.3
Adobe Acrobat Reader 7.0.4
Adobe Acrobat Reader 7.0.5
Adobe Acrobat Reader 7.0.6
Adobe Acrobat Reader 7.0.7
Adobe Acrobat Reader 7.0.8
Adobe Acrobat Reader 7.0.9
Adobe Acrobat Reader 8.0
Adobe Acrobat Reader 8.1
Adobe Acrobat Reader 8.1.1
Adobe Acrobat Standard 8.1.1
Non-Vulnerable Systems
- ----------------------
Adobe Acrobat Professional 8.1.2
Adobe Acrobat Reader 8.1.2
Adobe Acrobat Standard 8.1.2
Short Summary
- -------------
Adobe Acrobat and Reader are prone to multiple arbitrary code execution and security vulnerabilities; fixes are available.
Impact
- ------
An attacker can exploit these issues to control a user's printer and to execute arbitrary code. Other attacks are also possible.
Technical Description
- ---------------------
Adobe Acrobat and Reader are freely available, proprietary applications to handle PDF documents.
The applications are prone to multiple arbitrary remote code-execution and security vulnerabilities:
- - A design error can be leveraged to gain unauthorized access to an unsuspecting user's printer. Further details regarding this issue are still unavailable.
- - Multiple stack-based buffer-overflow issues affect JavaScript methods in Reader and Acrobat. The problems occur because the software fails to sufficiently validate a string's length before using it in several JavaScript methods.
- - An integer-overflow vulnerability affects the 'printSepsWithParams()' function when handling user-supplied parameter values.
- - A vulnerability in the 'EScript.api' plugin (based on the reference implementation used in Mozilla products) can be exploited to execute arbitrary code. The problem occurs because the method allows direct control over low-level features of an object.
- - A vulnerability in Reader occurs due to an unsafe library path. A path for 'Security Provider' libraries contains the directory that the application was started in; the path may be used to load a file with the same name as a Security Provider library. This could allow attackers to run arbitrary code.
Other unspecified vulnerabilities may have also been addressed with the release of Reader and Acrobat 8.1.2. We will update this BID as more information becomes available.
Versions prior to Adobe Acrobat and Adobe Reader 8.1.2 are vulnerable to these issues.
Attack Scenarios
- ----------------
1. An attacker constructs an exploit designed to leverage any of these issues. The payload will likely contain excessive data, memory addresses, and possibly NOP instructions.
2. The attacker uses email, websites, or other means to distribute the exploit, and then entices a user to open it with the affected application.
3. When the user opens the file, the vulnerability is triggered and the attacker's exploit runs in the context of the currently logged-in user.
Other attacks are also possible.
Exploits
- --------
An exploit and proof-of-concept exploit are available to members of the Immunity Partners Program.
The exploits are available from the following location:
https://www.immunityinc.com/downloads/immpartners/acrobat.tgz
https://www.immunityinc.com/downloads/immpartners/acrobatfull.tgz
NOTE: Reports indicate that at least one of these issues is being exploited in the wild.
Mitigating Strategies
- ---------------------
Run all software as a nonprivileged user with minimal access rights.
To limit the potential damage that a successful exploit may achieve, run all nonadministrative software as a regular user with the least amount of privileges required to successfully operate.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploitation attempts or activity that results from successful exploitation.
Do not accept or execute files from untrusted or unknown sources.
Do not use the affected software to open documents that originate from unknown or untrusted sources.
Do not follow links provided by unknown or untrusted sources.
To reduce the likelihood of successful attacks, never follow links provided by unknown or untrusted individuals.
Implement multiple redundant layers of security.
Use memory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) to complicate exploits of memory-corruption vulnerabilities.
Solutions
- ---------
Adobe has released updates to address these issues. Please see the references for information on obtaining and applying fixes.
Adobe Upgrade AcrobatUpd812_all_incr.msp
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3849&fileID=3603
Adobe Acrobat Reader 8.0
Adobe Acrobat Reader 8.1
Adobe Acrobat Reader 8.1.1
Adobe Upgrade AcroProUpd812_all.dmg
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3856&fileID=3602
Adobe Acrobat Reader 8.0
Adobe Acrobat Reader 8.1
Adobe Acrobat Reader 8.1.1
Adobe Upgrade AcrobatUpd812_all_incr.msp
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3850&fileID=3606
Adobe Acrobat 3D
Adobe Upgrade Adobe Reader 8.1.2
http://www.adobe.com/products/acrobat/readstep2_servefile.html
Adobe Acrobat Reader 8.0
Adobe Acrobat Reader 8.1
Adobe Acrobat Reader 8.1.1
Adobe Acrobat Reader (UNIX) 7.0.0
Adobe Acrobat Reader (UNIX) 7.0.1
Adobe Acrobat Reader 7.0.0
Adobe Acrobat Reader 7.0.1
Adobe Acrobat Reader 7.0.2
Adobe Acrobat Reader 7.0.3
Adobe Acrobat Reader 7.0.4
Adobe Acrobat Reader 7.0.5
Adobe Acrobat Reader 7.0.6
Adobe Acrobat Reader 7.0.7
Adobe Acrobat Reader 7.0.8
Adobe Acrobat Reader 7.0.8
Adobe Acrobat Reader 7.0.9
Credit
- ------
The vendor disclosed these issues.
References
- ----------
Advisory:Adobe Reader and Acrobat JavaScript Insecure Method Exposure Vulnerability (iDefense) iDefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=656
Advisory:Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities (iDefense) iDefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=657
Advisory:Adobe Reader Security Provider Unsafe Libary Path Vulnerability (iDefense) iDefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=655
Advisory:APSA08-01 Security update available for Adobe Reader and Acrobat 8 (Adobe) Adobe
http://www.adobe.com/support/security/advisories/apsa08-01.html
Advisory:Vulnerability Note VU#666281 Adobe JavaScript methods buffer overflow vulnerabil (US-CERT) US-CERT
http://www.kb.cert.org/vuls/id/666281
Advisory:ZDI-08-004 Adobe Acrobat Javascript for PDF Integer Overflow
Vulnerability (ZDI) ZDI
http://www.zerodayinitiative.com/advisories/ZDI-08-004.html
Message
Adobe Reader/Acrobat Remote PDF Print Silently Vulnerability (cocoruder
cocoruder@gmail.com)
http://www.securityfocus.com/archive/1/3d7a6e870802071804r62a067afxc67d51c5f7c8aa5a@mail.gmail.com
Message
iDefense Security Advisory 02.08.08: Adobe Reader and Acrobat JavaScript
Insecur (iDefense Labs labs-no-reply@idefense.com)
http://www.securityfocus.com/archive/1/47AD2018.8070909@idefense.com
Message
iDefense Security Advisory 02.08.08: Adobe Reader and Acrobat Multiple Stack-bas (iDefense Labs labs-no-reply@idefense.com)
http://www.securityfocus.com/archive/1/47AD6C11.9000009@idefense.com
Message
iDefense Security Advisory 02.08.08: Adobe Reader Security Provider Unsafe Libar (iDefense Labs labs-no-reply@idefense.com)
http://www.securityfocus.com/archive/1/47AD2022.7020105@idefense.com
Web Page:Adobe Reader 8 Homepage (Adobe) Adobe
http://www.adobe.com/products/reader/
Web Page:Adobe Reader 8.1.2 Release Notes (Adobe) Adobe
http://www.adobe.com/go/kb403079
Web Page:Adobe Reader Download Page (Adobe) Adobe
http://www.adobe.com/products/acrobat/readstep2.html
Web Page:Technical Cyber Security Alert TA08-043A (US-CERT) US-CERT
http://www.us-cert.gov/cas/techalerts/TA08-043A.html#revisions
Change Log
- ----------
2008.02.12: Urgency raised due to active exploitation; references updated; US-CERT alert TA08-043A added.
2008.02.11: Zero-Day Initiative advisory ZDI-08-004 available; technical details updated.
2008.02.11: US-CERT Vulnerability Note VU#666281 is available.
2008.02.09: Multiple iDefense advisories available; technical details updated.
2008.02.08: Details regarding one of the issues added; related Bugtraq message reference available.
2008.02.07: Vendor security advisory APSA08-01 is available.
2008.02.07: An exploit is available through the Immunity Partners Program; urgency raised.
2008.02.06: An proof of concept is available through the Immunity Partners Program; urgency raised accordingly.
2008.02.06: Initial analysis.
URL
- ---
https://alerts.symantec.com/loaddocument.aspx?GUID=259a0f8f-1b02-4dca-9a4d-262ed783be11
View public key at:
https://alerts.symantec.com/gpgkey.aspx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32)
iD8DBQFHsb5DUuGvlu3xvN4RAkLjAKCEadnwGew5r11zicE2V+uqR/cvOQCfYbwczkCqMAooGajBw5jrIGulCzo=
=8t4u
-----END PGP SIGNATURE-----
This alert was triggered by the monitor: Vulnerability Monitor
This delivery method is named: Default Delivery Method
Symantec Corporation
The World Leader in Internet Security Technology and Early Warning Solutions
Visit our website at www.symantec.com
_______________________________
Symantec Deepsight Alert Services
Powered by EnvoyWorldWide, Inc.
Hash: SHA1
Symantec Vulnerability Alert
Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities
Bugtraq ID 27641
CVE CVE-2007-5659(Candidate), CVE-2008-0655(Candidate)
Published Feb 06 2008
Last Update 02/12/2008 3:38:08 PM GMT
Remote Yes
Local No
Credibility Vendor Confirmed
Classification Unknown
Ease No Exploit Required
Availability User Initiated
Authentication Not Required
Impact 8 Severity 8.3 Urgency Rating 8.9
Last Change Urgency raised due to active exploitation; references
updated; US-CERT alert TA08-043A added.
Vulnerable Systems
- ------------------
Adobe Acrobat 3D
Adobe Acrobat Professional 7.0.0
Adobe Acrobat Professional 7.0.1
Adobe Acrobat Professional 7.0.2
Adobe Acrobat Professional 7.0.3
Adobe Acrobat Professional 7.0.4
Adobe Acrobat Professional 7.0.5
Adobe Acrobat Professional 7.0.6
Adobe Acrobat Professional 7.0.7
Adobe Acrobat Professional 7.0.8
Adobe Acrobat Professional 8.0
Adobe Acrobat Professional 8.1
Adobe Acrobat Professional 8.1.1
Adobe Acrobat Reader 3.0.0
Adobe Acrobat Reader 4.0.0
Adobe Acrobat Reader 4.0.0 5
Adobe Acrobat Reader 4.0.0 5c
Adobe Acrobat Reader 4.0.5 A
Adobe Acrobat Reader 5.0.0
Adobe Acrobat Reader 5.0.10
Adobe Acrobat Reader 5.0.5
Adobe Acrobat Reader 5.1.0
Adobe Acrobat Reader 6.0.0
Adobe Acrobat Reader 6.0.1
Adobe Acrobat Reader 6.0.2
Adobe Acrobat Reader 6.0.3
Adobe Acrobat Reader 6.0.4
Adobe Acrobat Reader 7.0.0
Adobe Acrobat Reader 7.0.1
Adobe Acrobat Reader 7.0.2
Adobe Acrobat Reader 7.0.3
Adobe Acrobat Reader 7.0.4
Adobe Acrobat Reader 7.0.5
Adobe Acrobat Reader 7.0.6
Adobe Acrobat Reader 7.0.7
Adobe Acrobat Reader 7.0.8
Adobe Acrobat Reader 7.0.9
Adobe Acrobat Reader 8.0
Adobe Acrobat Reader 8.1
Adobe Acrobat Reader 8.1.1
Adobe Acrobat Standard 8.1.1
Non-Vulnerable Systems
- ----------------------
Adobe Acrobat Professional 8.1.2
Adobe Acrobat Reader 8.1.2
Adobe Acrobat Standard 8.1.2
Short Summary
- -------------
Adobe Acrobat and Reader are prone to multiple arbitrary code execution and security vulnerabilities; fixes are available.
Impact
- ------
An attacker can exploit these issues to control a user's printer and to execute arbitrary code. Other attacks are also possible.
Technical Description
- ---------------------
Adobe Acrobat and Reader are freely available, proprietary applications to handle PDF documents.
The applications are prone to multiple arbitrary remote code-execution and security vulnerabilities:
- - A design error can be leveraged to gain unauthorized access to an unsuspecting user's printer. Further details regarding this issue are still unavailable.
- - Multiple stack-based buffer-overflow issues affect JavaScript methods in Reader and Acrobat. The problems occur because the software fails to sufficiently validate a string's length before using it in several JavaScript methods.
- - An integer-overflow vulnerability affects the 'printSepsWithParams()' function when handling user-supplied parameter values.
- - A vulnerability in the 'EScript.api' plugin (based on the reference implementation used in Mozilla products) can be exploited to execute arbitrary code. The problem occurs because the method allows direct control over low-level features of an object.
- - A vulnerability in Reader occurs due to an unsafe library path. A path for 'Security Provider' libraries contains the directory that the application was started in; the path may be used to load a file with the same name as a Security Provider library. This could allow attackers to run arbitrary code.
Other unspecified vulnerabilities may have also been addressed with the release of Reader and Acrobat 8.1.2. We will update this BID as more information becomes available.
Versions prior to Adobe Acrobat and Adobe Reader 8.1.2 are vulnerable to these issues.
Attack Scenarios
- ----------------
1. An attacker constructs an exploit designed to leverage any of these issues. The payload will likely contain excessive data, memory addresses, and possibly NOP instructions.
2. The attacker uses email, websites, or other means to distribute the exploit, and then entices a user to open it with the affected application.
3. When the user opens the file, the vulnerability is triggered and the attacker's exploit runs in the context of the currently logged-in user.
Other attacks are also possible.
Exploits
- --------
An exploit and proof-of-concept exploit are available to members of the Immunity Partners Program.
The exploits are available from the following location:
https://www.immunityinc.com/downloads/immpartners/acrobat.tgz
https://www.immunityinc.com/downloads/immpartners/acrobatfull.tgz
NOTE: Reports indicate that at least one of these issues is being exploited in the wild.
Mitigating Strategies
- ---------------------
Run all software as a nonprivileged user with minimal access rights.
To limit the potential damage that a successful exploit may achieve, run all nonadministrative software as a regular user with the least amount of privileges required to successfully operate.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploitation attempts or activity that results from successful exploitation.
Do not accept or execute files from untrusted or unknown sources.
Do not use the affected software to open documents that originate from unknown or untrusted sources.
Do not follow links provided by unknown or untrusted sources.
To reduce the likelihood of successful attacks, never follow links provided by unknown or untrusted individuals.
Implement multiple redundant layers of security.
Use memory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) to complicate exploits of memory-corruption vulnerabilities.
Solutions
- ---------
Adobe has released updates to address these issues. Please see the references for information on obtaining and applying fixes.
Adobe Upgrade AcrobatUpd812_all_incr.msp
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3849&fileID=3603
Adobe Acrobat Reader 8.0
Adobe Acrobat Reader 8.1
Adobe Acrobat Reader 8.1.1
Adobe Upgrade AcroProUpd812_all.dmg
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3856&fileID=3602
Adobe Acrobat Reader 8.0
Adobe Acrobat Reader 8.1
Adobe Acrobat Reader 8.1.1
Adobe Upgrade AcrobatUpd812_all_incr.msp
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3850&fileID=3606
Adobe Acrobat 3D
Adobe Upgrade Adobe Reader 8.1.2
http://www.adobe.com/products/acrobat/readstep2_servefile.html
Adobe Acrobat Reader 8.0
Adobe Acrobat Reader 8.1
Adobe Acrobat Reader 8.1.1
Adobe Acrobat Reader (UNIX) 7.0.0
Adobe Acrobat Reader (UNIX) 7.0.1
Adobe Acrobat Reader 7.0.0
Adobe Acrobat Reader 7.0.1
Adobe Acrobat Reader 7.0.2
Adobe Acrobat Reader 7.0.3
Adobe Acrobat Reader 7.0.4
Adobe Acrobat Reader 7.0.5
Adobe Acrobat Reader 7.0.6
Adobe Acrobat Reader 7.0.7
Adobe Acrobat Reader 7.0.8
Adobe Acrobat Reader 7.0.8
Adobe Acrobat Reader 7.0.9
Credit
- ------
The vendor disclosed these issues.
References
- ----------
Advisory:Adobe Reader and Acrobat JavaScript Insecure Method Exposure Vulnerability (iDefense) iDefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=656
Advisory:Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities (iDefense) iDefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=657
Advisory:Adobe Reader Security Provider Unsafe Libary Path Vulnerability (iDefense) iDefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=655
Advisory:APSA08-01 Security update available for Adobe Reader and Acrobat 8 (Adobe) Adobe
http://www.adobe.com/support/security/advisories/apsa08-01.html
Advisory:Vulnerability Note VU#666281 Adobe JavaScript methods buffer overflow vulnerabil (US-CERT) US-CERT
http://www.kb.cert.org/vuls/id/666281
Advisory:ZDI-08-004 Adobe Acrobat Javascript for PDF Integer Overflow
Vulnerability (ZDI) ZDI
http://www.zerodayinitiative.com/advisories/ZDI-08-004.html
Message
Adobe Reader/Acrobat Remote PDF Print Silently Vulnerability (cocoruder
cocoruder@gmail.com)
http://www.securityfocus.com/archive/1/3d7a6e870802071804r62a067afxc67d51c5f7c8aa5a@mail.gmail.com
Message
iDefense Security Advisory 02.08.08: Adobe Reader and Acrobat JavaScript
Insecur (iDefense Labs labs-no-reply@idefense.com)
http://www.securityfocus.com/archive/1/47AD2018.8070909@idefense.com
Message
iDefense Security Advisory 02.08.08: Adobe Reader and Acrobat Multiple Stack-bas (iDefense Labs labs-no-reply@idefense.com)
http://www.securityfocus.com/archive/1/47AD6C11.9000009@idefense.com
Message
iDefense Security Advisory 02.08.08: Adobe Reader Security Provider Unsafe Libar (iDefense Labs labs-no-reply@idefense.com)
http://www.securityfocus.com/archive/1/47AD2022.7020105@idefense.com
Web Page:Adobe Reader 8 Homepage (Adobe) Adobe
http://www.adobe.com/products/reader/
Web Page:Adobe Reader 8.1.2 Release Notes (Adobe) Adobe
http://www.adobe.com/go/kb403079
Web Page:Adobe Reader Download Page (Adobe) Adobe
http://www.adobe.com/products/acrobat/readstep2.html
Web Page:Technical Cyber Security Alert TA08-043A (US-CERT) US-CERT
http://www.us-cert.gov/cas/techalerts/TA08-043A.html#revisions
Change Log
- ----------
2008.02.12: Urgency raised due to active exploitation; references updated; US-CERT alert TA08-043A added.
2008.02.11: Zero-Day Initiative advisory ZDI-08-004 available; technical details updated.
2008.02.11: US-CERT Vulnerability Note VU#666281 is available.
2008.02.09: Multiple iDefense advisories available; technical details updated.
2008.02.08: Details regarding one of the issues added; related Bugtraq message reference available.
2008.02.07: Vendor security advisory APSA08-01 is available.
2008.02.07: An exploit is available through the Immunity Partners Program; urgency raised.
2008.02.06: An proof of concept is available through the Immunity Partners Program; urgency raised accordingly.
2008.02.06: Initial analysis.
URL
- ---
https://alerts.symantec.com/loaddocument.aspx?GUID=259a0f8f-1b02-4dca-9a4d-262ed783be11
View public key at:
https://alerts.symantec.com/gpgkey.aspx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32)
iD8DBQFHsb5DUuGvlu3xvN4RAkLjAKCEadnwGew5r11zicE2V+uqR/cvOQCfYbwczkCqMAooGajBw5jrIGulCzo=
=8t4u
-----END PGP SIGNATURE-----
This alert was triggered by the monitor: Vulnerability Monitor
This delivery method is named: Default Delivery Method
Symantec Corporation
The World Leader in Internet Security Technology and Early Warning Solutions
Visit our website at www.symantec.com
_______________________________
Symantec Deepsight Alert Services
Powered by EnvoyWorldWide, Inc.
02/12/08 @ 12:49
Comment from: Naclo [Visitor]
Humph, you've changed my mind! Your arguments are convincing indeed. Despite I'm not a person who is easy to be convinced.
04/06/08 @ 16:07
Comment feed for this postLeave a comment
