Vulnerability in Adobe Reader

Frands · February 20, 2009, 04:54:34 PM

QuoteA vulnerability has been reported in Adobe Reader/Acrobat, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error and can be exploited to cause a buffer overflow. No further information is available.

Successful exploitation allows execution of arbitrary code.

NOTE: Reportedly, the vulnerability is currently being actively exploited.

Extremely critical

http://secunia.com/advisories/33901/

dp · February 20, 2009, 06:31:40 PM

Adobe Security Advisory: http://www.adobe.com/support/security/advisories/apsa09-01.html

Corrine · February 20, 2009, 11:52:26 PM

From US-CERT: http://www.us-cert.gov/current/index.html#adobe_releases_security_bulletin_for1

QuoteUS-CERT encourages users to take the following actions to help mitigate the risks:

* Review Adobe Security Bulletin APSA09-01.
* Review US-CERT Vulnerability Note VU#905281.
* Review US-CERT Technical Cyber Security Alert TA09-051A.
* Disable JavaScript in Adobe Reader and Acrobat. Acrobat JavaScript can be disabled in the General preferences dialog (Edit, Preferences, JavaScript, and un-check "Enable Acrobat JavaScript").
* Prevent Internet Explorer from automatically opening PDF documents.
* Disable the displaying of PDF documents in the web browser. This can be disabled in the the General preferences dialog (Edit, Preferences, Internet, and un-check "Display PDF in browser").
* Use caution when opening untrusted PDF files.
* Install antivirus software, and keep virus signatures up to date.

US-CERT will provide additional information as it becomes available.

If you're a WinPatrol user, click on the ActiveX tab and sort by company name to find your Adobe components. Select the Acrobat reader and click on Disable.

Eric the Red · February 25, 2009, 09:03:22 AM

It has now been shown that disabling Javascript is not sufficient to mitigate this threat, please see http://secunia.com/blog/44/

Frands · February 25, 2009, 07:36:33 PM

Until Adobe Reader get rid of its birdie flu it is maybe a good idea using another PDF-reader e.g PDF-XCHANGE VIEWER

Corrine · February 25, 2009, 08:27:15 PM

Thank you, stealthzone. I take it that, unlike Foxit, there is no unexpected add-on with PDF-XCHANGE VIEWER.

(Re Foxit: http://securitygarden.blogspot.com/2009/02/beware-foxit-reader-includes-asktoolbar.html )

Frands · February 25, 2009, 08:37:05 PM

Hi Corrine
After I posted my latest writeup, I made your blog and saw that ASK toolbar comes with Foxit, I had to alert GR@PH;<'S so he could make a lil change for me ;) . Thanks GR@PH;<'S :)

Corrine · February 26, 2009, 01:05:49 AM

That explains the change. Thanks for reading my blog. :)

GR@PH;<'S · February 26, 2009, 12:33:07 PM

stealthzone,

QuoteThanks GR@PH;<'S

Your welcome :goodie:
-

@ Corrine you mean there are still people that do not read your Securitygarden blog :tease:

GR@PH;<'S :Hammys pint:

Frands · March 05, 2009, 04:58:11 PM

Update :

Quote"With Adobe's patch for the current PDF vulnerability still some time away, news has emerged of more techniques that are available to exploit the vulnerability, this time without needing the victim to actually open a malicious file. Instead, the methods make use of a Windows Explorer Shell Extension that is installed alongside Adobe Reader, and which will trigger the exploitable code when the file is interacted with in Windows Explorer. Methods have been demonstrated of successful exploitation with a single click, with thumbnail view, and with merely hovering the mouse cursor over the affected file. There are many ways that exploits targeting the JBIG2 vulnerability could be hidden inside a PDF file, and it seems that the reliability of detection for these varying methods is spotty, at best."

http://it.slashdot.org/article.pl?sid=09/03/05/1328244

More about the issue here:
http://www.beskerming.com/commentary/2009/03/05/430/An_Interesting_Result_for_JBIG2_PDF_Vulnerability

Corrine · March 18, 2009, 10:49:04 PM

Finally updated!

Security Updates available for Adobe Reader and Acrobat

Release date: March 18, 2009
Vulnerability identifier: APSB09-04
CVE number: CVE-2009-0658, CVE-2009-0927
Platform: Windows and Macintosh

Summary

Critical vulnerabilities have been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that one of these issues is being exploited (CVE-2009-0658).

Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader 9.1 and Acrobat 9.1. Adobe recommends users of Acrobat 8 update to Acrobat 8.1.4, and users of Acrobat 7 update to Acrobat 7.1.1. For Adobe Reader users who can't update to Adobe Reader 9.1, Adobe has provided the Adobe Reader 8.1.4 and Adobe Reader 7.1.1 updates.

These updates resolve the issue from Security Advisory APSA09-01 and Security Bulletin APSB09-03. Users who have previously updated to Adobe Reader 9.1 and Acrobat 9.1 for Windows and Macintosh need not take any action. Adobe now plans to make available Adobe Reader 9.1 and Adobe Reader 8.1.4 for Unix by March 24.

Update to Adobe Reader 9.1, available here: http://get.adobe.com/reader/

Corrine · May 03, 2009, 07:46:20 PM

Adobe Product Security Incident Response Team (PSIRT): Adobe Reader Issue Update

QuoteA Security Advisory has been posted in regards to the Adobe Reader vulnerability last mentioned in the Adobe PSIRT blog on April 28 ("Update to Adobe Reader Issue", CVE-2009-1492). We are in the process of fixing the issue, and expect to make available product updates for the relevant supported Adobe Reader and Acrobat versions and platforms by May 12th, 2009. Adobe plans to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X.

Additionally, we have confirmed the second vulnerability (CVE-2009-1493) for Adobe Reader for Unix (first mentioned in our April 28 post). This issue will be resolved in the upcoming Adobe Reader for Unix updates. Currently, we have not been able to reproduce an exploitable scenario for Windows and Macintosh, but we will continue to investigate.

In the meantime, to mitigate both issues disable JavaScript in Adobe Reader and Acrobat using the following instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the 'Enable Acrobat JavaScript' option
5. Click OK
Adobe is in contact with Antivirus and Security vendors regarding both of these issues in order to ensure the security of our mutual customers.

We will continue to provide updates on these issues via the Security Advisory section of the Adobe web site, as well as the Adobe PSIRT blog.

This posting is provided "AS IS" with no warranties and confers no rights.

It has been strongly recommended by members of the security community that consideration be given to an alternative reader. See http://pdfreaders.org/

(Note: Foxit Pdf Reader is not recommended as it includes the Ask Toolbar and ebay desktop shortcut. It has been reported that there is reduced functionality when those add-ons are not included.)