Adobe Reader and Acrobat versions 9.3.4 and prior and versions 8.2.4 and prior contain a vulnerability that can allow an unauthenticated, remote attacker to execute arbitrary code on an affected system.
The vulnerability exists due to insufficient bounds checking on user-supplied input while PDF files. An unauthenticated, remote attacker could exploit this vulnerability by persuading a user to open a malicious PDF document using the affected software. If successful, the attacker could execute arbitrary code with the privileges of the user.
Adobe has acknowledged that exploits for this vulnerability are occurring in the wild.
Adobe has confirmed this vulnerability and released updated software.
Indicators of Compromise
Adobe Reader and Acrobat versions 9.3.4 and prior and versions 8.2.4 and prior are vulnerable.
The vulnerability exists due to improper bounds checking performed by functions within the CoolType.dll library of the affected software while handling TrueType Fonts (TTF) that are embedded in a PDF document. The affected software uses Smart Independent Glyphlet (SING) architecture tables to perform modifications on TTF fonts.
An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to view a malicious PDF document containing an overly large value in the uniqueName field within the SING table structure. When viewed by the user, this document could trigger a stack-based buffer overflow, corrupting memory. The attacker could use the memory corruption to execute arbitrary code with the privileges of the user. Some attacks may attempt to bypass memory protections by using the icucnv36.dll library, making exploits more reliable on some platforms.
User interaction is required to exploit this vulnerability. An attacker would need to persuade a user to view a malicious file. The attacker might use social engineering techniques such as sending the link to the website that hosts the file via an e-mail message, instant messaging, or other forms of communication.
Reports suggest that an exploit could be possible on Windows Vista and Windows 7 as well; exploit samples observed in the wild leverage libraries that do not use memory protection routines built-in to Windows Vista and Windows 7.
A successful exploit could allow the attacker to execute arbitrary code on the system with the privileges of the user.
Administrators are advised to apply the appropriate updates.
Administrators are advised to use an unprivileged account when browsing the Internet.
Administrators are advised to limit acess to the icucnv36.dll module by configuring the access control list.
Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.
Red Hat has released a security advisory and updated packages to address the Adobe Reader and Acrobat CoolType.dll remote buffer overflow vulnerability. US-CERT has also released a vulnerability note to address this vulnerability.
2010-October-07 13:19 GMT
Adobe has released an additional security bulletin and updated software to address the Adobe Reader and Acrobat CoolType.dll remote buffer overflow vulnerability.
2010-October-06 15:28 GMT
Additional technical information that describes the Adobe Reader and Acrobat CoolType.dll remote buffer overflow vulnerability is available.
2010-September-13 14:06 GMT
Adobe Reader and Acrobat contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Updates are not available.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
FIXED SOFTWARE INFORMATION AND LINKS PROVIDED BY SUPPLIERS AND VENDORS ARE FOR REFERENCE ONLY. USERS SHOULD CONTACT THEIR SUPPLIER OR VENDOR FOR UPDATED SOFTWARE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.