February 11, 2008 10:07 AM PST

Exploits plague Adobe Reader and Acrobat

Posted by Robert Vamosi

Over the weekend, security vendor iDefense reported three specific exploits affecting a fully patched version of Adobe Acrobat and Reader 8.1 running on Windows. In each of the cases, the attacker would need to have the users open a specially crafted PDF file delivered via an e-mail attachment or linked from a Web site. In response, Adobe has released a security update, Adobe Acrobat and Reader 8.1.2.

The Adobe Reader and Acrobat JavaScript insecure method exposure vulnerability affects users of Adobe Reader 8.1 on Windows XP SP2 and is to be further detailed in CVE-2007-5663. According to iDefense, "an insecure method exposed by the JavaScript library in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code on a compromised machine. One of the methods exposed allows direct control over low level features of the object, which in turn allows execution of arbitrary code. In order to exploit this vulnerability, an attacker would have to convince the targeted user to open a maliciously constructed file."

The Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities also affects users of Adobe Reader 8.1 on Windows XP SP2 and is to be detailed in CVE-2007-5659. According to iDefense, "exploitation of multiple stack-based buffer overflows in JavaScript methods in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code as the current user. In order to exploit these vulnerabilities, an attacker would have to convince a targeted user to open a maliciously constructed file."

The Adobe Reader Security Provider Unsafe Libary Path Vulnerability affects users of Adobe Reader 8.1 installed on both Windows XP and Windows Vista and is to be detailed in CVE-2007-5666. According to iDefense, "an unsafe library path vulnerability in Adobe Systems' Adobe Reader may allow attackers to execute arbitrary code as the current user. Exploitation allows an attacker to execute arbitrary code as the user that started the application. To exploit this vulnerability, the attacker must convince the targeted user to open a PDF from a directory under their control."

In response, Adobe has issued an update for Adobe Reader and Acrobat 8.01. An update for Adobe Reader and Acrobat 7.0.9 is not currently available, although Adobe said it does plan to release one later.

Topics:

Browsers and extensions,

Security

Tags:

security,

Adobe,

Reader,

Acrobat,

iDefense,

Javascript

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
Column: Raising Cain at Black Hat
Black Hat 2008: Notes from the field
Column: Finally, ID fraud protection that works
Column: Will you be ditching your antivirus app anytime soon?
A real simple answer to password protection
Add a Comment (Log in or register) 1 comment
Lack of response by Adobe and the Fed
by Woodmon February 12, 2008 1:47 AM PST
Last paragraph should state Adobe has issued an update for Adobe Reader and Acrobat 8.1.1.

Also do any of the three vulnerabilities listed at iDefense Labs and the other vulnerability reported by FortiGuard also apply to Adobe Reader or Acrobat 8.1.1 running on Windows 2000 SP4? Only Windows XP and Windows Vista are mentioned to in the CNet article.

Also note iDefense's time line of vulnerability discussion with Adobe, significantly that Adobe was not orginally planning to provide patches to previous versions of Adobe Reader or Acrobat.

So with last minute Adobe's change of heart is there any time line for patch release for Acrobat Pro 7.09? Or do I have to quit running v.7.09 and go with an another PDF creation application. I refuse to pay for an upgrade to Acrobat 8.12 for features I have no need for, besides security patches which should have been developed by now. (iDefense notified Adobe of issues back in October 2007).

Adobe made record profits last quarter. And making boogles of money with CreativeSuite 3 release (which Acrobat product line is part of). How about a little more resources applied to pro-active security and to responding to vulnerabilities in a more timely manner?

And still awaiting for the thre original vulnerabilities (reported in 2007) to be included in the Common Vulnerabilities and Exposures (CVE) Database, and the National Vulnerability Database (NVD), and a Technical Cyber Security Alert released.

That is no content yet for:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5659
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5663
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5666
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5659
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5663
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5666

Why the delay for this rated "highly critical" issue and which is observed in the wild already?

Homeland Security where are you?

Both the federal governments and Adobe's lack of responsiveness on this issue needs fully investigated.

Other related links:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0655
http://www.kb.cert.org/vuls/id/666281
http://www.zerodayinitiative.com/advisories/ZDI-08-004.html
http://secunia.com/advisories/28851/
http://secunia.com/advisories/28802/

FortiGuard Advisory -
Silent Print Vulnerability in Adobe Acrobat/Reader
http://www.fortiguardcenter.com/advisory/FGA-2008-04.html
Reply to this comment
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
Same great protection. Reengineered for speed.
Norton Internet Security™2008

Click Here!
Norton still delivers award-winning protection and now uses 83% less memory and scans 48% faster than the competitor average. Get a FREE trial today!

Click Here!
Norton Beats the Competition

See how Norton Internet Security™2008 uses less memory, while scanning and booting faster than the competitor average.

Norton Protection Blog

Read the latest from our security experts as they help protect people from evolving online threats.

Protect Your Bluetooth Connection

Don't let fraudsters sink their teeth into your Bluetooth connection.

Vishing - What you need to know

Meet the latest ID theft scam: Voice Phishing.

Take Norton for a Test Drive Today!

Act now to get your FREE trial of Norton Internet Security 2008.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

Featured blogs

advertisement

Inside CNET News

Scroll Left Scroll Right

  • Nanotech: The Circuits Blog

    Report: More competitive processors due from AMD

    AMD will bring out processors by early next year that appear to be much more competitive with Intel offerings.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • News - Apple

    Apple watchers spot 'iPod Nano' pix, iTunes hints

    The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.

  • Coop's Corner

    Chris Shipley 1, Internet lynch mob 0

    Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • News - Digital Media

    Ad trade group opposes Yahoo-Google search deal

    Association of National Advertisers announces it has sent a letter to the top antitrust chief for the U.S. Department of Justice, issuing its objections to the controversial Yahoo-Google search ad partnership.

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Are Demo and TechCrunch50 fragmenting their audiences?

    With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Webware

    DemoFall preview: 10 to watch

    If you can only watch 10 pitches from DemoFall, these would be good ones.

  • Green Tech

    Duke Energy to invest in mini solar power plants

    Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.

News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET