Vulnerability Alert

Adobe Acrobat and Reader Multiple JavaScript Methods Buffer Overflow Vulnerability

 
Threat Type:CWE-119: Buffer Errors
IntelliShield ID:15118
Version:9
First Published:2008 February 11 16:46 GMT
Last Published:2008 August 05 12:34 GMT
Port: Not available
CVE:CVE-2007-5659
BugTraq ID:27641
Urgency:Possible use
Credibility:Confirmed
Severity:Moderate Damage
CVSS Base:9.3 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:8.1
 
Version Summary:

Sun has re-released?an alert notification with a?patch?to address the Adobe Acrobat and Reader multiple JavaScript methods buffer overflow vulnerability.

 
 
Description

Adobe Acrobat and Reader contain a vulnerability that could allow an unauthenticated, remote attacker to cause the application to crash, resulting in a DoS condition or allowing the attacker to execute arbitrary code with the privileges of the user.

Adobe's Acrobat product line contains a scripting engine that allows the addition of interactive content in Adobe Acrobat files.? The vulnerability exists in this feature when it handles crafted PDF documents that contain malicious scripting content.

An attacker who can convince a user to open a malicious PDF document could trigger the error and corrupt system memory in an exploitable manner.? The attacker could then use this corruption to?cause a crash of the application or execute arbitrary code with the privileges of the user who opened the malicious document..

Malicious software that exploits this vulnerability is publicly available.

Adobe confirmed the vulnerability in a security bulletin and released updated software.

 
Warning Indicators

The following Adobe products are vulnerable:

  • Adobe Reader 8.1.1 and prior
  • Adobe Acrobat Standard 8.1.1 and prior
  • Adobe?Acrobat Professional 8.1.1 and prior
  • Adobe?Acrobat 3D versions 8.1.1 and prior
  • Adobe Acrobat 7.0.9 and prior
 
IntelliShield Analysis

To exploit the vulnerability, an attacker must convince a user to open a crafted PDF document.? Attackers will likely employ social engineering tactics to convince users to open malicious documents by providing them via e-mail.??Attacks are also likely to be propagated via links to a malicious website, by instant messaging, or using another form of communications.

A successful exploit may result in a crash of the application or the execution of arbitrary code.? Systems that limit user privileges may be less at risk.? Systems that grant users administrative privileges may allow attackers to execute arbitrary code with elevated privileges, which may result in a full system compromise.

This vulnerability is currently being exploited in the wild.? The vulnerability has been identified as being used by Trojan.Pidief.C, which is documented in IntelliShield Alert 14388.

 
Vendor Announcements

Adobe has released security bulletins at the following links: APSA08-01 and APSB08-13

Avaya has released a security advisory at the following link: ASA-2008-281

Gentoo has released a security advisory at the following link: GLSA 200803-01?

Nortel has released security advisories at the following links: 2008008642?and 2008008888

Red Hat has released a security advisory at the following link: RHSA-2008-0144?

Sun has re-released an alert notification at the following link: 239286

SUSE has released a security announcement at the following link: SUSE-SA:2008:009???

US-CERT has released a vulnerability note at the following link: VU#666281?

 
Impact

An unauthenticated, remote attacker could exploit the vulnerability to cause a DoS condition or execute arbitrary code with the privileges of the user who invokes the application.? The level of user privileges and the code that is executed will determine the degree to which the system is compromised.? Common user configurations of Linux, UNIX, Mac OS X, and Microsoft Windows Vista?systems should limit the impact of successful code execution because typical configurations limit the privileges granted to normal user and administrative accounts.

 
Technical Information

The vulnerability is due to insufficient bounds checking within multiple JavaScript methods provided by the Acrobat scripting engine.? When a PDF file is processed that contains overly long input passed to an affected method, the application may write data past the end of a fixed-length stack-based buffer, resulting in memory corruption.

An attacker could exploit the vulnerability by crafting a malicious PDF document and convincing a user to open it.? If successful, the attacker could trigger the buffer overflow condition, causing system memory to be corrupted in an exploitable manner.? The attacker could leverage the corruption to execute arbitrary code with the privileges of the user.? Any failed exploits may crash the application, resulting in a DoS condition.

 
Safeguards

Administrators are advised to apply the appropriate updates.

Administrators may consider instructing users to be cautious of unsolicited PDF files that arrive via e-mail.?

Users are advised not to open files from untrusted sources.? Users are advised to verify unexpected files from trusted sources before opening them.

Users are advised to run applications with the lowest necessary privileges.

 
Patches/Software

Adobe has released updates available at the following links:

Adobe Acrobat 8.1.2 or later
Adobe?Reader 8.1.2 or later
Adobe Acrobat Professional on Windows 8.1.2 or later
Adobe Acrobat Standard on Windows 8.1.2 or later
Adobe Acrobat Professional on Mac 8.1.2 or later
Adobe Acrobat 3D on Windows 8.1.2?or later
Adobe Reader 7.1.0?
Adobe Acrobat on Windows 7.1.0
Adobe Acrobat on Mac 7.1.0

Gentoo updates can be obtained for the following packages using the emerge command:?app-text/acroread:

Red Hat packages can be updated using the up2date command.

Sun has released patches at the following links:

SPARC
Solaris 10 patch 121136-02 and patch 121104-03

SUSE has released updated packages; users can install the updates using YaST.

 
Alert History
 

Version 8, July 8, 2008, 6:22 PM: Avaya has released?a security advisory?to address the Adobe Acrobat and Reader multiple JavaScript methods buffer overflow vulnerability.

Version 7, June 30, 2008, 8:09 AM: Sun has released?an alert notification?to address the Adobe Acrobat and Reader multiple JavaScript methods buffer overflow vulnerability.

Version 6, June 13, 2008, 9:09 AM: Nortel has released a security advisory to address the Adobe Acrobat and Reader multiple JavaScript methods buffer overflow vulnerability.

Version 5, May 8, 2008, 4:37 PM: Adobe has released a security bulletin and updated software?to address the Adobe Acrobat and Reader multiple JavaScript methods buffer overflow vulnerability.?

Version 4, March 3, 2008, 3:15 PM: Gentoo has released a security advisory and updated packages?to address the Adobe Acrobat and Reader multiple JavaScript methods buffer overflow vulnerability.?

Version 3, February 27, 2008, 9:24 AM: Red Hat has released a security advisory and updated packages to address the Adobe Acrobat and Reader multiple JavaScript methods buffer overflow vulnerability.? Nortel has released a security advisory to address the vulnerability.

Version 2, February 19, 2008, 7:49 AM: SUSE has released a security announcement and updated packages to address the Adobe Acrobat and Reader multiple JavaScript methods buffer overflow vulnerability.? US-CERT has released a vulnerability note to address the vulnerability.

Version 1, February 11, 2008, 11:46 AM: Adobe Acrobat and Reader contain a buffer overflow vulnerability that may be triggered when handling certain JavaScript methods that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.? Updates are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
AdobeAcrobat 3D 7.0 Base, .1, .2, .3, .4, .5, .6, .7, .8, .9 | 8.0 Base | 8.1 .0, .1
AdobeAcrobat Professional 7.0 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9 | 8.0 .0 | 8.1 .0, .1
AdobeAcrobat Reader 6.0 Base | 6.0.1 Base | 6.0.2 Base | 6.0.3 Base | 7.0 Base | 7.0.1 Base | 7.0.2 Base | 7.0.3 Base | 7.0.4 Base | 7.0.5 Base | 7.0.6 Base | 7.0.7 Base | 7.0.8 Base | 7.0.9 Base | 8.0 Base | 8.1 Base | 8.1.1 Base
AdobeAcrobat Standard 6.0 Base | 6.0.1 Base | 6.0.2 Base | 6.0.3 Base | 6.0.4 Base | 7.0 Base | 7.0.1 Base | 7.0.2 Base | 7.0.3 Base | 7.0.4 Base | 7.0.5 Base | 7.0.6 Base | 7.0.7 Base | 7.0.8 Base | 7.0.9 Base | 8.1 Base | 8.1.1 Base

Associated Products:
Avaya, Inc.Interactive Response (IR) 2.0 Base | 3.0 Base
Gentoo Technologies, Inc.Gentoo Linux 2004 .0, .1, .2, .3 | 2005 .0 | 2006 .0, .1 | 2007 .0
Nortel NetworksExtended Peripheral Module (XPM) SNC00007 Base | SNC00009 Base | SWC00007 Base | SWC00009 Base
Nortel NetworksMedia Processing Server (MPS) 1.0 Base | 2.1 Base | 3.0 Base | 6.0 Base
Nortel NetworksPeriphonics Speech Platform 1.0 Base | 1.1 Base | 2.0 Base | 2.1 Base | 3.0 Base | 4.0 Base | 5.1 Base | 5.2 Base | 5.3 Base | 5.4 Base | 6.1 Base | 6.2 Base | 7.0 Base | 8.0 Base | 8.1 Base | 8.5 Base
Nortel NetworksSpectrum Peripheral Module (SPM) SN000009 Base
Novell, Inc.SuSE Linux Enterprise Desktop (SLED) 10 SP1 amd64, SP1 x86, SP1 em64t
Red Hat, Inc.Red Hat Enterprise Linux Desktop Supplementary 5.0 IA-32, x86-64
Red Hat, Inc.Red Hat Enterprise Linux Extras 3 IA-32, x86_64 | 4 IA-32, x86_64
Red Hat, Inc.RHEL Supplementary 5 IA-32, x86_64
Sun Microsystems, Inc.Solaris 10 sparc
SUSESuSE Linux 10.1 x86
SUSESUSE Linux Enterprise SDK (SLE SDK) 10 SP1 x86, SP1 x86-64, SP1 ia64 (IPF), SP1 iSeries, SP1 pSeries, SP1 zSeries (s390x)
SUSESuSE Linux Enterprise Server 10 SP1 AMD64, SP1 Intel EM64T, SP1 Itanium (IPF), SP1 IBM Power, SP1 x86, SP1 zSeries 64bit




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield