Sun has re-released an alert notification with patches to address the util.printf() function buffer overflow vulnerability in Adobe Reader.
Description
Adobe Reader and Adobe Acrobat Professional, 3D, and Standard contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.
The vulnerability is due to insufficient boundary checking when the affected applications process format strings. An attacker could exploit the vulnerability to cause a buffer overflow condition by convincing a user to open a malicious PDF document. An exploit could allow the attacker to execute arbitrary code with the privileges of the user.
Malicious code is exploiting this vulnerability.
Adobe has confirmed this vulnerability and released updated versions.
Warning Indicators
The following Adobe products are vulnerable:
Adobe Acrobat Professional versions 8.1.2 and prior
Adobe Acrobat 3D versions 8.1.2 and prior
Adobe Acrobat Standard versions 8.1.2 and prior
Adobe Reader versions 8.1.2 and prior
IntelliShield Analysis
Malicious code, in the form of a trojan named Trojan.Pidief.D, is exploiting this vulnerability. This trojan is described in IntelliShield Alert 14388.
To exploit the vulnerability, an attacker must convince a user to open a malicious PDF document. An attacker could employ social engineering techniques by providing a malicious file in an e-mail message or other form of messaging. Users may be more easily convinced to open a PDF file because it is a common document type that is frequently used in normal business operations. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. Failed exploits could allow the attacker to cause the application to crash, resulting in a DoS condition.
Systems that grant users Administrator privileges may allow an attacker to execute arbitrary code with elevated privileges, an action that could result in a full system compromise.
Systems that limit user privileges, such as Mac OS X and Linux systems, or Windows Vista systems that employ systems to separate user privileges when running applications, may be less at risk as the result of an exploit because any code execution would run with only limited privileges.
Vendor Announcements
Adobe has released a security bulletin at the following link: APSB08-19
Gentoo has released a security advisory at the following link: GLSA 200901-09
Novell has released a security summary report at the following link: SUSE-SR:2008:026
Red Hat has released a security advisory at the following link: RHSA-2008:0974
Sun has re-released an alert notification at the following link: 249366
Turbolinux has released a security advisory at the following link: TLSA-2008-40
US-CERT has released a vulnerability note at the following link: VU#593409
Impact
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed will determine the degree to which the system is compromised. Common user configurations of Linux, UNIX, Mac OS X, and Microsoft Windows Vista systems should limit the impact of successful code execution because typical configurations limit the privileges granted to normal user and administrative accounts.
Technical Information
This vulnerability is due to insufficient boundary checking when the affected applications process format strings that contain a floating pointer specifier in the util.printf() function of maliciously crafted PDF files.
An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to open a malicious PDF document. The malicious PDF file supplies an overly long, properly formatted command to the util.printf() function that overwrites the application's memory because Adobe uses a fixed-length argument. This action can result in a stack-based buffer overflow. The attacker could have control over the execution flow, which could be used to execute arbitrary code with the privileges of the user who launched the affected application. Failed exploit attempts could terminate the application, resulting in a DoS condition.
Safeguards
Administrators are advised to apply the appropriate updates.
Administrators may consider instructing users to be cautious of unsolicited PDF files that arrive via e-mail.
Users are advised not to open files from untrusted sources. Users are advised to verify unexpected files from trusted sources before opening them.
Users are advised to run applications with the lowest necessary privileges.
Patches/Software
Adobe has released updated versions at the following links:
Version 10, January 14, 2009, 10:23 AM: Gentoo has released a security advisory and updated packages to address the util.printf() function buffer overflow vulnerability in Adobe Reader.
Version 9, January 12, 2009, 6:18 PM: Sun has released an alert notification to address the util.printf() function buffer overflow vulnerability in the Adobe Reader.
Version 8, November 26, 2008, 8:16 AM: Novell has released a security summary report and updated packages to address the util.printf() function buffer overflow vulnerability in the Adobe Acrobat Reader.
Version 7, November 12, 2008, 5:20 PM: Red Hat has released a security advisory and updated software to address the util.printf() function buffer overflow vulnerability in the Adobe Reader. Additional details that describe malicious code that is associated with this vulnerability are also available.
Version 6, November 10, 2008, 5:40 PM: Turbolinux has released a security advisory and updated packages to address the util.printf() function buffer overflow vulnerability in Adobe Reader.
Version 5, November 7, 2008, 5:17 PM: Malicious code is actively exploiting the util.printf() function buffer overflow vulnerability in Adobe Reader in the wild.
Version 4, November 6, 2008, 1:58 PM: Functional exploit code is available for the util.printf() function buffer overflow vulnerability in Adobe Reader.
Version 3, November 5, 2008, 2:09 PM: Proof-of-concept code and additional technical details have been released to address the util.printf() function buffer overflow vulnerability.
Version 2, November 5, 2008, 8:35 AM: Adobe has released a security bulletin and updated versions to address the util.printf() function buffer overflow vulnerability. US-CERT has also released a vulnerability note.
Version 1, November 4, 2008, 3:15 PM: Adobe Acrobat and Reader contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Updates are not available.
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
