‘Adobe Acrobat And Reader AcroJS Heap Corruption Vulnerability’
Summary
‘Adobe Reader is ‘a program for viewing Portable Document Format (PDF) documents’.
Credit:
‘The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=756‘
Details
‘Vulnerable Systems:
* Acrobat Professional version 8.1.2
*Adobe Reader version 8.1.2
The vulnerable code is an AcroJS function available to scripting code inside of a PDF document. This function is used for HTTP authentication. By passing a long string to this function, it is possible to corrupt heap memory in such a way that may lead to the execution of arbitrary code.
Analysis:
Exploitation of this vulnerability would allow an attacker to execute arbitrary code with the privileges of the current user. In order to exploit this vulnerability, an attacker would have to convince the target to open a maliciously constructed file, or to visit a website with an embedded PDF. If the user has the Adobe Reader Browser plugin enabled, the PDF file will render inside of the browser.
Workaround:
Disabling JavaScript in Adobe Reader or Acrobat will limit exposure to this vulnerability. When JavaScript is disabled, Adobe Reader will prompt the user that some components of the document may not function, and provide an opportunity to enable it.
Vendor response:
Adobe reports that the input validation issue in the Download Manager used by Adobe Reader has been resolved and has released a patch which addresses this issue. A patch is available from the vendor at:
http://www.adobe.com/support/security/bulletins/apsb08-19.html
CVE Information:
CVE-2008-4817
Disclosure timeline:
03/21/2008 – Initial Vendor Notification
04/28/2008 – Additional iDefense Data Provided to Vendor
06/26/2008 – Additional Vendor Follow-up
11/04/2008 – Coordinated Public Disclosure’