• On MovieTome: Keanu updates COWBOY BEBOP!
February 11, 2008 10:07 AM PST

Exploits plague Adobe Reader and Acrobat

by Robert Vamosi
  • Font size
  • Print
  • 1 comment

Over the weekend, security vendor iDefense reported three specific exploits affecting a fully patched version of Adobe Acrobat and Reader 8.1 running on Windows. In each of the cases, the attacker would need to have the users open a specially crafted PDF file delivered via an e-mail attachment or linked from a Web site. In response, Adobe has released a security update, Adobe Acrobat and Reader 8.1.2.

The Adobe Reader and Acrobat JavaScript insecure method exposure vulnerability affects users of Adobe Reader 8.1 on Windows XP SP2 and is to be further detailed in CVE-2007-5663. According to iDefense, "an insecure method exposed by the JavaScript library in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code on a compromised machine. One of the methods exposed allows direct control over low level features of the object, which in turn allows execution of arbitrary code. In order to exploit this vulnerability, an attacker would have to convince the targeted user to open a maliciously constructed file."

The Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities also affects users of Adobe Reader 8.1 on Windows XP SP2 and is to be detailed in CVE-2007-5659. According to iDefense, "exploitation of multiple stack-based buffer overflows in JavaScript methods in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code as the current user. In order to exploit these vulnerabilities, an attacker would have to convince a targeted user to open a maliciously constructed file."

The Adobe Reader Security Provider Unsafe Libary Path Vulnerability affects users of Adobe Reader 8.1 installed on both Windows XP and Windows Vista and is to be detailed in CVE-2007-5666. According to iDefense, "an unsafe library path vulnerability in Adobe Systems' Adobe Reader may allow attackers to execute arbitrary code as the current user. Exploitation allows an attacker to execute arbitrary code as the user that started the application. To exploit this vulnerability, the attacker must convince the targeted user to open a PDF from a directory under their control."

In response, Adobe has issued an update for Adobe Reader and Acrobat 8.01. An update for Adobe Reader and Acrobat 7.0.9 is not currently available, although Adobe said it does plan to release one later.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Browsers and extensions,

Security

Tags:

security,

Adobe,

Reader,

Acrobat,

iDefense,

Javascript

Share:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Related
Symantec confirms zero-day Acrobat, Reader attack
Adobe Security Issue: Reader, Acrobat vulnerabilities exploited
Adobe investigating Reader, Acrobat exploit reports
Adobe to patch zero-day Reader, Acrobat hole
Firefox, Adobe top buggiest-software list
More attacks expected on Facebook, Twitter in 2010
Week in review: A matter of antitrust
McAfee Labs' 2010 threat predictions (podcast)
Add a Comment (Log in or register)
Lack of response by Adobe and the Fed
by Woodmon February 12, 2008 1:47 AM PST
Last paragraph should state Adobe has issued an update for Adobe Reader and Acrobat 8.1.1.

Also do any of the three vulnerabilities listed at iDefense Labs and the other vulnerability reported by FortiGuard also apply to Adobe Reader or Acrobat 8.1.1 running on Windows 2000 SP4? Only Windows XP and Windows Vista are mentioned to in the CNet article.

Also note iDefense's time line of vulnerability discussion with Adobe, significantly that Adobe was not orginally planning to provide patches to previous versions of Adobe Reader or Acrobat.

So with last minute Adobe's change of heart is there any time line for patch release for Acrobat Pro 7.09? Or do I have to quit running v.7.09 and go with an another PDF creation application. I refuse to pay for an upgrade to Acrobat 8.12 for features I have no need for, besides security patches which should have been developed by now. (iDefense notified Adobe of issues back in October 2007).

Adobe made record profits last quarter. And making boogles of money with CreativeSuite 3 release (which Acrobat product line is part of). How about a little more resources applied to pro-active security and to responding to vulnerabilities in a more timely manner?

And still awaiting for the thre original vulnerabilities (reported in 2007) to be included in the Common Vulnerabilities and Exposures (CVE) Database, and the National Vulnerability Database (NVD), and a Technical Cyber Security Alert released.

That is no content yet for:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5659
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5663
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5666
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5659
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5663
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5666

Why the delay for this rated "highly critical" issue and which is observed in the wild already?

Homeland Security where are you?

Both the federal governments and Adobe's lack of responsiveness on this issue needs fully investigated.

Other related links:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0655
http://www.kb.cert.org/vuls/id/666281
http://www.zerodayinitiative.com/advisories/ZDI-08-004.html
http://secunia.com/advisories/28851/
http://secunia.com/advisories/28802/

FortiGuard Advisory -
Silent Print Vulnerability in Adobe Acrobat/Reader
http://www.fortiguardcenter.com/advisory/FGA-2008-04.html
Reply to this comment
advertisement

Five New Year's resolutions for Google

Stakes are high as Google attempts to maintain one of the Internet's greatest cash machines while pushing into new and risky markets.
• Android event set for Jan. 5

For eBay sellers, a holiday hamster hangover

The gift frenzy over Zhu Zhu Pets leaves some power sellers feeling like they've just run a marathon--but the steep price tags lead to some impressive profits.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET