__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Adobe Reader and Acrobat Vulnerabilities [Public Advisory: 02.08.08] February 13, 2008 13:00 GMT Number S-180 ______________________________________________________________________________ PROBLEM: Remote exploitation of multiple stack-based buffer overflows in JavaScript methods in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code as the current user. PLATFORM: Adobe Reader 8.1 on Windows XP SP2. NOTE--It is likely that other Adobe products that handle PDF files, including previous versions of Adobe Reader, are also affected. DAMAGE: Remote code execution. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Explotation of these vulnerabilities would ASSESSMENT: allow an attacker to execute arbitrary code as the current user. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-180.shtml ORIGINAL BULLETIN: http://labs.idefense.com/intelligence/vulnerabilities/ display.php?id=657 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-5659 ______________________________________________________________________________ [***** Start Public Advisory: 02.08.08 *****] PUBLIC ADVISORY: 02.08.08 Home // Current Intelligence // Vulnerability Advisories // Public Advisory: 02.08.08 Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities I. BACKGROUND Adobe Reader is a program for viewing Portable Document Format (PDF) documents. Acrobat is the program used to create such documents. More information is available at the following URLs. http://www.adobe.com/products/acrobat/ http://www.adobe.com/products/reader/ II. DESCRIPTION Remote exploitation of multiple stack-based buffer overflows in JavaScript methods in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code as the current user. These issues exist due to insufficient input validation in several JavaScript methods. Inadequate checking is performed on the string length before it is copied into a fixed sized buffer on the stack. If an attacker supplies a long string, control structures on the stack may be modified, allowing the execution of arbitrary code. III. ANALYSIS Exploitation of these vulnerabilities would allow an attacker to execute arbitrary code as the current user. In order to exploit these vulnerabilities, an attacker would have to convince a targeted user to open a maliciously constructed file. This file could be sent directly to the targeted user or linked from a website. IV. DETECTION iDefense has confirmed these vulnerabilities exist in Adobe Reader 8.1 on Windows XP SP2. It is likely that other Adobe products that handle PDF files, including previous versions of Adobe Reader, are also affected. V. WORKAROUND Disabling JavaScript in Adobe Reader or Acrobat will limit exposure to these vulnerabilities. When JavaScript is disabled, Adobe Reader will prompt the user that some components of the document may not function, and provide an opportunity to enable it. VI. VENDOR RESPONSE Adobe released version 8.1.2 of Adobe Reader and Acrobat to address these vulnerabilities. Although there is currently no update for version 7.0.9, Adobe reports it does plan to release one at a later date. For more information, visit the vendor's advisory at the following URL. http://www.adobe.com/support/security/advisories/apsa08-01.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-5659 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/10/2007 Initial vendor notification 10/10/2007 Initial vendor response 10/26/2007 Request for status 10/26/2007 Status - Est. early January 01/04/2008 Request for status 01/04/2008 Status - Scheduled early February 01/28/2008 Adobe plans patch for 8, but not 7 01/30/2008 Concerns about the plan e-mailed to Adobe 01/31/2008 Telephone call to clarify concerns 02/06/2008 Adobe releases 8.1.2 02/06/2008 Immunity makes PoC available to partners 02/07/2008 Adobe publishes APSA08-01 02/08/2008 Exploit discovered in the wild 02/08/2008 Public disclosure IX. CREDIT These vulnerabilities were discovered by Greg MacManus of VeriSign iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. // Current Intelligence Intelligence Deliverables Research Papers Vulnerability Advisories Malicious Code Advisories Vulnerability Advisories: [***** End Public Advisory: 02.08.08 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of iDefense for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-170: KAME Project IPv6 IPComp Vulnerability S-171: Kernel Security Update S-172: Vulnerability in WebDAV Mini-Redirector S-173: Vulnerability in Internet Information Services S-174: Vulnerability in OLE Automation S-175: Vulnerability in Microsoft Word S-176: Cumulative Security Update for Internet Explorer S-177: Vulnerabilities in Microsoft Works File Converter S-178: Vulnerabilities in Microsoft Office Publisher S-179: Vulnerability in Microsoft Office