__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Adobe Security Update [APSB07-18] October 26, 2007 15:00 GMT Number S-030 ______________________________________________________________________________ PROBLEM: Critical vulnerabilities have been identified inAdobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. PLATFORM: Adobe Reader 8.1 and earlier 7.0.9 and earlier Adobe Acrobat Professional, 3D, Standard 8.1 and earlier versions Professional, Standard, 3D, and Elements 7.0.9 and earlier DAMAGE: Could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Could allow an attacker who successfully ASSESSMENT: exploits these vulnerabilities to take control of the affected system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-030.shtml ORIGINAL BULLETIN: http://www.adobe.com/support/security/bulletins/apsb07-18.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-5020 ______________________________________________________________________________ [***** Start APSB07-18 *****] Security bulletin Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat Release date: October 22, 2007 Vulnerability identifier: APSB07-18 CVE number: CVE-2007-5020 Platform: Windows XP or Windows 2003 (Vista users are not affected) with Internet Explorer 7 installed Affected software versions: Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier SummaryCritical vulnerabilities have been identified in Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. This issue only affects customers on Windows XP or Windows 2003 with Internet Explorer 7 installed. A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities. It is recommended that affected users update to Adobe Reader 8.1.1 or Acrobat 8.1.1. This is an update to resolve the issue previously reported in Security Advisory APSA07-04. SolutionAdobe strongly recommends upgrading to Adobe Reader 8.1.1 or Acrobat 8.1.1. Users can utilize the product's automatic update facility. The default installation configuration runs automatic updates on a regular schedule, and can be manually activated by choosing Help > Check For Updates Now. Alternatively, the Adobe Reader 8.1.1 update files can be manually downloaded and installed from: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows The Acrobat 8.1.1 update files can be downloaded and installed from: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows Microsoft may also be providing an update to resolve this issue at a later date. Please refer to Microsoft Security Advisory 943521 for more information. Adobe will be providing an update to Adobe Reader 7.0.9 and Acrobat 7.0.9 at a later date. For customers who can not upgrade to Adobe Reader 8.1.1 or Acrobat 8.1.1, administrators can disable the mailto: option in Acrobat, Acrobat 3D and Adobe Reader by modifying the application options in the Windows registry. Additionally, these changes can be added to network deployments to Windows systems. Disclaimer: This procedure involves editing the registry. Adobe doesn't provide support for editing the registry, which contains critical system and application information. Make sure to back up the registry before modifying it. For more information about the registry, refer to Windows Help. Exit Adobe Reader or Acrobat. Open RegEdit. On Windows, go to Start > Run, type in regedit and click OK. Choose File > Export. Select Local Disk C for the Save in: location. Type backup for File Name. Choose All for the Export Range. Click Save. Navigate to the appropriate registry key: NOTE: When editing the key values for Adobe Reader and Acrobat 7.0.9, Regedit will launch a Edit Binary Value window. Be sure to edit the values below using the right panel of the window. Acrobat: HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe Acrobat\7.0\FeatureLockDown\cDefaultLaunchURLPerms Reader: HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\7.0\FeatureLockDown\cDefaultLaunchURLPerms If tSchemePerms is set as follows: version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms- itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:2|file:2 To Disable mailto (recommended) Modify tSchemePerms by setting the mailto: value to 3: version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms- itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2 To set mailto to prompt Modify tSchemePerms by removing the mailto: value: version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms- itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|file:2 Close RegEdit. Restart the application. Severity ratingAdobe categorizes this as a critical issue and recommends that affected users update their product installations. Details:This Security Bulletin addresses the issue previously reported in Security Advisory APSA07-04. Critical vulnerabilities have been identified in Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. This issue only affects customers on Windows XP or Windows 2003 with Internet Explorer 7 installed. A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities. This issue is remotely exploitable. It is recommended that affected users update to Adobe Reader 8.1.1 or Acrobat 8.1.1. Adobe will be providing an update to Adobe Reader 7.0.9 and Acrobat 7.0.9 at a later date. Adobe Reader 6.X and Acrobat 6.X are not vulnerable to this issue. AcknowledgmentsAdobe would like to thank pdp of gnucitizen.org for reporting this vulnerability and for working with Adobe to help protect our customers' security. [***** End APSB07-18 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Adobe for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-020: Cisco Unified Communications Web-based Management Vulnerability S-021: HP-UX Running OpenSSL Vulnerability S-022: Mozilla Products Vulnerabilities S-023: RealPlayer Playlist Vulnerability S-024: libpng Security Update S-025: reprepro Vulnerability S-026: xfce4-terminal Vulnerability S-027: t1lib Vulnerability S-028: Vulnerability in Java Runtime Environment Virtual Machine S-029: IBM Lotus Notes Vulnerabilities