Smokey's Security Weblog

veritas odium parit

0-Day Exploit Adobe Reader and Acrobat: extremely critical vulnerability

Security Bulletin

An extremely critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.

There are reports that this issue is being exploited. Adobe is planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow. In the meantime, Adobe is in contact with anti-virus vendors on this issue in order to ensure the security of our mutual customers.

Affected software versions: Adobe Reader 9 and earlier versions / Adobe Acrobat Standard, Pro, and Pro Extended 9 and earlier versions.

The malicious PDF’s in the wild exploit a vulnerability in a non-JavaScript function call. However, they do use some JavaScript to implement a heap spray for successful code execution. The malicious PDF’s in the wild contain JavaScript that is used to fill the heap with shellcode. Since this exploit relies on both JavaScript and non-JavaScript components there are some potential reliability issues which has led to confusion over which platforms are affected.Testing of the exploit with XP SP3 using Adobe Reader 8.1.1, 8.1.2, 8.1.3 and 9.0.0 shows that the vulnerability results in code execution on all of them. There may be cases where Adobe Reader crashes without code execution, especially on systems with more physical memory and faster processors. This is likely due to the race condition needed to populate the heap before certain data structures are parsed by Reader.

The exploit can be effectively mitigated by disabling JavaScript. In this scenario Adobe will still crash but the required heap spray will not occur and code execution is not possible. There may be a method for populating the heap with the necessary shellcode without JavaScript, however if such a technique exists I am not aware of it. As a general rule I like the idea of both disabling JavaScript in Adobe Reader and also flagging PDF documents containing JavaScript at perimeter devices.

How-to disable JavaScript in Adobe Acrobat (Reader):

Click: Edit -> Preferences -> JavaScript > Uncheck Enable Acrobat JavaScript


February 21, 2009 - Posted by | Advisories, Alerts, Friends, Malware, Recommended External Security Related Links, Vulnerabilities | , , , , , , ,

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: