Security Intelligence Operations

Adobe Acrobat Products PDF File Buffer Overflow Vulnerability

Vulnerability Alert	Powered by

Threat Type:

Unintended Weakness: Buffer Overflow

IntelliShield ID:	17665
Version:	12
First Published:	February 20, 2009 09:48 AM EST
Last Published:	June 30, 2009 03:01 PM EDT
Vector:	Network
Authentication:	None
Exploit:	Functional
Port:	Not Available
CVE:	CVE-2009-0658
BugTraq ID:	33751

Urgency:	Possible Use
Credibility:	Confirmed
Severity:	Moderate Damage
CVSS Base:	9.3	CVSS Calculator CVSS Version 2
CVSS Temporal:	7.7	CVSS Calculator CVSS Version 2


Version Summary:	Sun has re-released an alert notification along with patches to address the .pdf file buffer overflow vulnerability in Adobe Reader.

Description

Adobe Reader and Adobe Acrobat Professional, Professional Extended, Standard, and 3D contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service (DoS) condition or execute arbitrary code with the privileges of the user.

The vulnerability is due to an input validation error when these products handle malicious .pdf files. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to open a malicious PDF document using a vulnerable application. An exploit could allow the attacker to create a DoS condition or execute arbitrary code with the privileges of the user.

Exploit code is available and active in the wild.

Adobe has confirmed the vulnerability and released updated software

Warning Indicators

The following Adobe products are vulnerable:

Reader versions 9 and prior
Reader versions 8.1.3 and prior
Reader versions 7.0.9 and prior
Reader for Macintosh versions 9 and prior
Reader for Macintosh versions 8.1.3 and prior
Reader for Macintosh versions 7.0.9 and prior
Reader for Unix versions 9 and prior
Reader for Unix versions 8.1.3 and prior
Acrobat for Macintosh versions 9 and prior
Acrobat for Macintosh versions 8.1.3 and prior
Acrobat for Macintosh versions 7.0.9 and prior
Acrobat Standard versions 9 and prior
Acrobat Professional versions 9 and prior
Acrobat Professional Extended versions 9 and prior
Acrobat 3D versions 8.1.3 and prior
Acrobat 3D versions 7.0.9 and prior

IntelliShield Analysis

To exploit the vulnerability, an attacker must convince a user to open a maliciously crafted PDF document. An attacker could employ social engineering by providing a malicious file in an e-mail message or another form of messaging that may make users more likely to visit an attacker-controlled website. Users may be more easily convinced to open a .pdf file because it is a common document type that is frequently used in normal business operations.

As a result of an exploit, the attacker could execute arbitrary code with the privileges of the user. On systems where the user is granted privileges equivalent to the Administrator account, the attacker could execute arbitrary code with elevated privileges. This could allow the attacker to take complete control over the system.

The actual vulnerability is in a non-JavaScript function; however, to achieve code execution, additional JavaScript code is needed. Disabling JavaScript code will not prevent a crash of the application, but it will prevent code execution from occurring.

The vulnerability is being actively exploited in the wild by the Trojan.Pidief.E trojan. Additional information about the trojan is available in IntelliShield Alert 14388. Reports indicate that networks of infected systems known as botnets are automatically distributing infected .pdf files. Although these attacks are reportedly limited in nature, this development may indicate that they could become more widespread.

Vendor Announcements

Adobe has released a security advisory and security bulletins at the following links: APSA09-01, APSB09-03, and APSB09-04

Novell has released a security announcement at the following link: SUSE-SA:2009:014

Red Hat has released a security advisory at the following link: RHSA-2009:0376

Sun has re-released an alert notification at the following link: 256788

Turbolinux has released a security advisory at the following link: TLSA-2009-10

US-CERT has released a vulnerability note at the following link: VU#905281

Impact

An unauthenticated, remote attacker could exploit the vulnerability to create a DoS condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed will determine the degree to which the system is compromised. Common user configurations of Mac OS X and Microsoft Windows Vista systems should limit the impact of successful code execution because typical configurations limit the privileges that are granted to normal user and administrative accounts.

Technical Information

The vulnerability is due to an input validation error when these products process malicious PDF documents that contain JavaScript code as well as a vulnerable non-JavaScript function call. The error occurs when parsing input in the form of JBIG2 streams. An unauthenticated, remote attacker could exploit the vulnerability by crafting a malicious PDF document that contains the vulnerable non-JavaScript function call as well as some JavaScript. An attacker must convince a user to open the document in the vulnerable application. The document is likely to be delivered by e-mail or hosted on an attacker-controlled website. A successful exploit could allow the attacker to corrupt system memory to execute arbitrary code with the privileges of the user who invoked the application. Failed attempts may result in a DoS condition.

Safeguards

Administrators are advised to apply the appropriate updates.

Administrators may consider employing host-based intrusion prevention systems.

Administrators should instruct users to be cautious of unsolicited .pdf files that arrive via e-mail.

Administrators may consider disabling JavaScript until an update can be applied.

Users are advised to execute programs with the least necessary privileges.

Users are advised not to open files from untrusted sources. Users are advised to verify unexpected files from trusted sources before opening them.

Cisco Security Research and Operations has tested Cisco Security Agent to verify that it prevents the malicious actions initiated by active exploitation of the vulnerability. As a result, system compromise is mitigated. Based on the characteristics of the vulnerability, Cisco expects that Cisco Security Agent will prevent similar attempts at exploiting the vulnerability.

Administrators may consider disabling Adobe Acrobat Windows Shell integration and the Adobe Acrobat Indexing Service filter, which involves unregistering the associated DLLs. However, administrators should note that the Windows Installer MSI resiliency feature may repair these features when a user clicks an advertised shortcut for Adobe Reader via the Start menu. To avoid this scenario, users are advised to delete the Adobe Reader icon from the Windows Start Menu and re-create a normal, non-advertised shortcut.

Patches/Software

Adobe has released updated software at the following links:

Novell has released updated packages; users can install the updates using YaST.

Red Hat packages can be updated using the up2date or yum command.

Sun has released patches at the following links:

SPARC
Solaris 10 with patch 121104-07 or later

Turbolinux packages can be updated using the turbopkg command.

Signatures

Cisco Systems Cisco Intrusion Prevention System (IPS) 6.0
15613/0	Malicious Adobe Reader PDF File	S383	02/21/2009
15613/1	Malicious Adobe Reader PDF File	S383	02/21/2009

Alert History

Version 11, April 24, 2009, 8:49 AM: Sun has released an alert notification and interim updates to address the .pdf file buffer overflow vulnerability in Adobe Reader.

Version 10, April 2, 2009, 10:20 AM: Turbolinux has released a security advisory and updated packages to address the .pdf file buffer overflow vulnerability in Adobe Reader.

Version 9, March 30, 2009, 8:33 AM: Novell and Red Hat have released security advisories and updated software to address the .pdf file buffer overflow vulnerability in Adobe Reader.

Version 8, March 27, 2009, 7:42 AM: Adobe has re-released a security bulletin and updated software to address the .pdf file buffer overflow vulnerability in Adobe Reader for Unix.

Version 7, March 19, 2009, 9:36 AM: Adobe has released a security bulletin and updated software to address the .pdf file buffer overflow vulnerability in Adobe Acrobat products.

Version 6, March 18, 2009, 4:00 PM: Additional information is available to describe attacks that are leveraging the .pdf file buffer overflow vulnerability in Adobe Acrobat products.

Version 5, March 16, 2009, 2:56 PM: Additional information is available regarding the effectiveness of a recommended workaround for the Adobe Acrobat Products PDF file buffer overflow vulnerability.

Version 4, March 11, 2009, 2:40 PM: Adobe has released a security bulletin and updated software to address the .pdf file buffer overflow vulnerability.

Version 3, February 25, 2009, 1:36 PM: Additional workaround information is available for the .pdf file buffer overflow vulnerability in Adobe Acrobat products.

Version 2, February 24, 2009, 4:25 PM: Additional technical details are available for the .pdf file buffer overflow vulnerability in Adobe Acrobat products. US-CERT has released a vulnerability note.

Version 1, February 24, 2009, 3:40 PM: Adobe Acrobat and Reader contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. Updated software is not available.

Product Sets

The security vulnerability applies to the following combinations of products.

Primary Products:
Adobe	Acrobat 3D	7.0 .1, .2, .3, .4, .5, .6, .7, .8, .9, Base
Adobe	Acrobat for Macintosh	7.0.0 Base \| 7.0.1 Base \| 7.0.2 Base \| 7.0.3 Base \| 7.0.5 Base \| 7.0.7 Base \| 7.0.8 Base \| 7.0.9 Base \| 8.1 .0, .1, .2, .3 \| 9.0 .0
Adobe	Acrobat Reader	7.0 Base \| 7.0.1 Base \| 7.0.2 Base \| 7.0.3 Base \| 7.0.4 Base \| 7.0.5 Base \| 7.0.6 Base \| 7.0.7 Base \| 7.0.8 Base \| 7.0.9 Base \| 8.0 Base \| 8.1 Base \| 8.1.1 Base \| 8.1.2 .1, Base \| 9.0 .0
Adobe	Acrobat Reader for Macintosh	7.0.0 Base \| 7.0.1 Base \| 7.0.2 Base \| 7.0.3 Base \| 7.0.7 Base \| 7.0.8 Base \| 7.0.9 Base \| 8.1.1 Base \| 8.1.2 Base \| 8.1.3 Base \| 9.0 .0
Adobe	Acrobat Reader for Unix	8.1 Base \| 8.1.1 Base \| 8.1.2 Base \| 8.1.3 Base \| 9.0 .0
Adobe	Adobe Acrobat Professional	7.0 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9 \| 8.0 .0 \| 8.1 .0, .1, .2 \| 9.0 .0
Adobe	Adobe Acrobat Professional Extended	9.0 .0
Adobe	Adobe Acrobat Standard	7.0 Base \| 7.0.1 Base \| 7.0.2 Base \| 7.0.3 Base \| 7.0.4 Base \| 7.0.5 Base \| 7.0.6 Base \| 7.0.7 Base \| 7.0.8 Base \| 7.0.9 Base \| 8.1 Base \| 8.1.1 Base \| 8.1.2 Base \| 9.0 .0

Associated Products:
Novell, Inc.	Novell Linux Desktop	9 x86, x86_64
Novell, Inc.	SuSE Linux Enterprise Desktop (SLED)	10 SP2 amd64, SP2 em64t, SP2 x86
Red Hat, Inc.	Red Hat Enterprise Linux Desktop Supplementary	5.0 IA-32, x86-64
Red Hat, Inc.	Red Hat Enterprise Linux Extras	3 IA-32, x86_64 \| 4 IA-32, x86_64
Red Hat, Inc.	RHEL Supplementary	5 IA-32, x86_64
Sun Microsystems, Inc.	Solaris	10 sparc, x64/x86
SUSE	SUSE Linux Enterprise Desktop (SLED)	10 SP2 EM64T, SP2 amd64, SP2 x86 \| 11 AMD64, IntelEM64T, x86
Turbolinux, Inc.	Turbolinux Client	2008 i586

LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

Hierarchical Navigation

Security Intelligence Operations

Related Links

Feedback