Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Adobe Acrobat Products PDF File Buffer Overflow Vulnerability

 
Threat Type:CWE-119: Buffer Errors
IntelliShield ID:17665
Version:12
First Published:2009 February 20 14:48 GMT
Last Published:2009 June 30 19:01 GMT
Port: Not available
CVE:CVE-2009-0658
BugTraq ID:33751
Urgency:Possible use
Credibility:Confirmed
Severity:Moderate Damage
CVSS Base:9.3 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:7.7
 
Version Summary:

Sun has re-released an alert notification along with patches to address the .pdf file buffer overflow vulnerability in Adobe Reader.

 
 
Description

Adobe Reader and Adobe Acrobat Professional, Professional Extended, Standard, and 3D?contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service (DoS) condition or execute arbitrary code with the privileges of the user.

The vulnerability is due to an input validation error when these products handle malicious?.pdf files.? An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to open a malicious PDF document using a vulnerable?application.? An exploit could allow the attacker to create a DoS condition or execute arbitrary code with the privileges of the user.

Exploit code is available and active in the wild.

Adobe has confirmed the vulnerability and released updated software

 
Warning Indicators

The following Adobe products are vulnerable:

  • Reader versions 9 and prior
  • Reader versions 8.1.3 and prior
  • Reader versions 7.0.9 and prior
  • Reader for Macintosh versions 9 and prior
  • Reader for Macintosh versions 8.1.3 and prior
  • Reader for Macintosh versions 7.0.9 and prior
  • Reader for Unix versions 9 and prior
  • Reader for Unix versions 8.1.3 and prior
  • Acrobat for Macintosh versions 9 and prior
  • Acrobat for Macintosh versions 8.1.3 and prior
  • Acrobat for Macintosh versions 7.0.9 and prior
  • Acrobat Standard versions 9 and prior
  • Acrobat Professional versions 9 and prior
  • Acrobat Professional Extended versions 9 and prior
  • Acrobat 3D versions 8.1.3 and prior
  • Acrobat 3D versions 7.0.9 and prior
 
IntelliShield Analysis

To exploit the vulnerability, an attacker must convince a user to open a maliciously crafted PDF document.? An attacker could employ social engineering by providing a malicious file in an e-mail message or another form of messaging that may make users more likely to visit an attacker-controlled website.? Users may be more easily convinced to open a?.pdf file because it is a common document type that is frequently used in normal business operations.

As a result of an exploit, the attacker could execute arbitrary code with the privileges of the user.? On systems where the user is granted privileges equivalent to the Administrator account, the attacker could execute arbitrary code with elevated privileges.? This could allow the attacker to take complete control over the system.

The actual vulnerability is in a non-JavaScript function; however, to achieve code execution, additional JavaScript code is needed.? Disabling JavaScript code will not prevent a crash of the application, but it will prevent code execution from occurring.

The vulnerability is being actively exploited in the wild by the Trojan.Pidief.E trojan.? Additional information about the trojan is available in IntelliShield Alert 14388.? Reports indicate that networks of infected systems known as botnets are automatically distributing infected .pdf files.? Although these attacks are reportedly limited in nature, this development may indicate that they could become more widespread.

 
Vendor Announcements

Adobe has released a security advisory and security bulletins at the following links: APSA09-01, APSB09-03, and APSB09-04?

Novell has released a security announcement at the following link: SUSE-SA:2009:014

Red Hat has released a security advisory at the following link: RHSA-2009:0376?

Sun has re-released an alert notification at the following link: 256788

Turbolinux has released a security advisory at the following link: TLSA-2009-10?

US-CERT has released a vulnerability note at the following link: VU#905281

 
Impact

An unauthenticated, remote attacker could exploit the vulnerability to create a DoS condition or execute arbitrary code with the privileges of the user.? The level of user privileges and the code that is executed will determine the degree to which the system is compromised.? Common user configurations of Mac OS X and Microsoft Windows Vista systems should limit the impact of successful code execution because typical configurations limit the privileges that are granted to normal user and administrative accounts.

 
Technical Information

The vulnerability is due to an input validation error when these products process malicious PDF documents that contain JavaScript code as well as a vulnerable non-JavaScript function call.? The error occurs when parsing input in the form of JBIG2 streams.? An unauthenticated, remote attacker could exploit the vulnerability by crafting a malicious PDF document that contains?the vulnerable non-JavaScript function call as well as some JavaScript.? An attacker must convince a user to open the document in the vulnerable application.? The document is likely to be delivered by e-mail or hosted on an attacker-controlled website.? A successful exploit could allow the attacker to corrupt system memory to execute arbitrary code with the privileges of the user who invoked the application.? Failed attempts may result in a DoS condition.

 
Safeguards

Administrators are advised to apply the appropriate updates.

Administrators may consider employing host-based intrusion prevention systems.

Administrators should instruct users to be cautious of unsolicited?.pdf files that arrive via e-mail.?

Administrators may consider disabling JavaScript until an update can be applied.

Users are advised to execute programs with the least necessary privileges.

Users are advised not to open files from untrusted sources.? Users are advised to verify unexpected files from trusted sources before opening them.

Cisco Security Research and Operations has tested Cisco Security Agent to verify that it prevents the malicious actions initiated by active exploitation of the vulnerability.? As a result, system compromise is mitigated.? Based on the characteristics of the vulnerability, Cisco expects that Cisco Security Agent will prevent?similar attempts at exploiting the vulnerability.

Administrators may consider disabling Adobe Acrobat Windows Shell integration and the Adobe Acrobat Indexing Service filter, which involves unregistering the associated DLLs.? However, administrators should note that the Windows Installer MSI resiliency feature may repair these features when a user clicks an advertised shortcut for Adobe Reader via the Start menu.? To avoid this scenario, users are advised to delete the Adobe Reader icon from the Windows Start Menu and re-create a normal, non-advertised shortcut.

 
Patches/Software

Adobe has released updated software at the following links:

Novell has released updated packages; users can install the updates using YaST.

Red Hat packages can be updated using the up2date or yum command.

Sun has released patches at the following links:

SPARC
Solaris 10 with patch 121104-07 or later

Turbolinux packages can be updated using the turbopkg command.


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
15613/0Malicious Adobe Reader PDF FileS3832009 Feb 21 
15613/1Malicious Adobe Reader PDF FileS3832009 Feb 21 
22679/0Malicious Adobe Reader PDF FileS4692010 Feb 12 
22679/1Malicious Adobe Reader PDF FileS4692010 Feb 12 
 
Alert History
 

Version 11, April 24, 2009, 8:49 AM: Sun has released an alert notification and interim updates to address the .pdf file buffer overflow vulnerability in Adobe Reader.

Version 10, April 2, 2009, 10:20 AM: Turbolinux has released a security advisory and updated packages to address the .pdf file buffer overflow vulnerability in Adobe Reader.

Version 9, March 30, 2009, 8:33 AM: Novell and Red Hat have released security advisories and updated software to address the .pdf file buffer overflow vulnerability in Adobe Reader.

Version 8, March 27, 2009, 7:42 AM: Adobe has re-released a security bulletin and updated software to address the .pdf file buffer overflow vulnerability in Adobe Reader for Unix.

Version 7, March 19, 2009, 9:36 AM: Adobe has released a security bulletin and updated software to address the .pdf file buffer overflow vulnerability in Adobe Acrobat products.

Version 6, March 18, 2009, 4:00 PM: Additional information is available to describe attacks that are leveraging the .pdf file buffer overflow vulnerability in Adobe Acrobat products.

Version 5, March 16, 2009, 2:56 PM: Additional information is available regarding the effectiveness of a recommended workaround for the Adobe Acrobat Products PDF file buffer overflow vulnerability.

Version 4, March 11, 2009, 2:40 PM: Adobe has released a security bulletin and updated software to address the .pdf file buffer overflow vulnerability.

Version 3, February 25, 2009, 1:36 PM: Additional workaround information is available for the .pdf file buffer overflow vulnerability in Adobe Acrobat products.

Version 2, February 24, 2009, 4:25 PM: Additional technical details are available for the .pdf file buffer overflow vulnerability in Adobe Acrobat products.? US-CERT has released a vulnerability note.

Version 1, February 24, 2009, 3:40 PM: Adobe Acrobat and Reader contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user.? Updated software is not available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
AdobeAcrobat 3D 7.0 Base, .1, .2, .3, .4, .5, .6, .7, .8, .9
AdobeAcrobat for Macintosh 7.0.0 Base | 7.0.1 Base | 7.0.2 Base | 7.0.3 Base | 7.0.5 Base | 7.0.7 Base | 7.0.8 Base | 7.0.9 Base | 8.1 .0, .1, .2, .3 | 9.0 .0
AdobeAcrobat Professional 7.0 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9 | 8.0 .0 | 8.1 .0, .1, .2 | 9.0 .0
AdobeAcrobat Professional Extended 9.0 .0
AdobeAcrobat Reader 7.0 Base | 7.0.1 Base | 7.0.2 Base | 7.0.3 Base | 7.0.4 Base | 7.0.5 Base | 7.0.6 Base | 7.0.7 Base | 7.0.8 Base | 7.0.9 Base | 8.0 Base | 8.1 Base | 8.1.1 Base | 8.1.2 .0, .1 | 9.0 .0
AdobeAcrobat Reader for Macintosh 7.0.0 Base | 7.0.1 Base | 7.0.2 Base | 7.0.3 Base | 7.0.7 Base | 7.0.8 Base | 7.0.9 Base | 8.1.1 Base | 8.1.2 Base | 8.1.3 Base | 9.0 .0
AdobeAcrobat Reader for Unix 8.1 Base | 8.1.1 Base | 8.1.2 Base | 8.1.3 Base | 9.0 .0
AdobeAcrobat Standard 7.0 Base | 7.0.1 Base | 7.0.2 Base | 7.0.3 Base | 7.0.4 Base | 7.0.5 Base | 7.0.6 Base | 7.0.7 Base | 7.0.8 Base | 7.0.9 Base | 8.1 Base | 8.1.1 Base | 8.1.2 Base | 9.0 .0

Associated Products:
Novell, Inc.Novell Linux Desktop 9 x86, x86_64
Novell, Inc.SuSE Linux Enterprise Desktop (SLED) 10 SP2 amd64, SP2 x86, SP2 em64t
Red Hat, Inc.Red Hat Enterprise Linux Desktop Supplementary 5.0 IA-32, x86-64
Red Hat, Inc.Red Hat Enterprise Linux Extras 3 IA-32, x86_64 | 4 IA-32, x86_64
Red Hat, Inc.RHEL Supplementary 5 IA-32, x86_64
Sun Microsystems, Inc.Solaris 10 sparc, x64/x86
SUSESUSE Linux Enterprise Desktop (SLED) 10 SP2 amd64, SP2 x86, SP2 EM64T | 11 AMD64, IntelEM64T, x86
Turbolinux, Inc.Turbolinux Client 2008 i586




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield