MS-ISAC ADVISORY NUMBER:
2008-007

DATE(S) ISSUED:
2/13/2008

SUBJECT:
Multiple Vulnerabilities in Adobe Reader and Adobe Acrobat Could Allow Remote Code Execution

OVERVIEW:
Several new security vulnerabilities have been identified in Adobe Reader and Adobe Acrobat. Adobe Reader allows users to view Portable Document Format (PDF) files. Adobe Acrobat offers users additional features such as the ability to create PDF files. The default installation of both products includes the Adobe Reader Plugin, which allows users to view PDF files within a web browser such as Internet Explorer or Firefox.

These vulnerabilities can be exploited if a user views a malicious PDF file in a web browser or attempts to open a malicious PDF file which has been downloaded or received as an email attachment. It has been confirmed that the most severe of these vulnerabilities can result in an attacker executing malicious code utilizing the same privileges as the logged on user. If the user is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.

There are confirmed reports of at least one of these vulnerabilities currently being actively exploited.


SYSTEMS AFFECTED:

  • Adobe Acrobat 3D
  • Adobe Acrobat Professional 7.0.0
  • Adobe Acrobat Professional 7.0.1
  • Adobe Acrobat Professional 7.0.2
  • Adobe Acrobat Professional 7.0.3
  • Adobe Acrobat Professional 7.0.4
  • Adobe Acrobat Professional 7.0.5
  • Adobe Acrobat Professional 7.0.6
  • Adobe Acrobat Professional 7.0.7
  • Adobe Acrobat Professional 7.0.8
  • Adobe Acrobat Professional 8.0
  • Adobe Acrobat Professional 8.1
  • Adobe Acrobat Professional 8.1.1
  • Adobe Acrobat Reader 3.0.0
  • Adobe Acrobat Reader 4.0.0
  • Adobe Acrobat Reader 4.0.0 5
  • Adobe Acrobat Reader 4.0.0 5c
  • Adobe Acrobat Reader 4.0.5 A
  • Adobe Acrobat Reader 5.0.0
  • Adobe Acrobat Reader 5.0.10
  • Adobe Acrobat Reader 5.0.5
  • Adobe Acrobat Reader 5.1.0
  • Adobe Acrobat Reader 6.0.0
  • Adobe Acrobat Reader 6.0.1
  • Adobe Acrobat Reader 6.0.2
  • Adobe Acrobat Reader 6.0.3
  • Adobe Acrobat Reader 6.0.4
  • Adobe Acrobat Reader 7.0.0
  • Adobe Acrobat Reader 7.0.1
  • Adobe Acrobat Reader 7.0.2
  • Adobe Acrobat Reader 7.0.3
  • Adobe Acrobat Reader 7.0.4
  • Adobe Acrobat Reader 7.0.5
  • Adobe Acrobat Reader 7.0.6
  • Adobe Acrobat Reader 7.0.7
  • Adobe Acrobat Reader 7.0.8
  • Adobe Acrobat Reader 7.0.9
  • Adobe Acrobat Reader 8.0
  • Adobe Acrobat Reader 8.1
  • Adobe Acrobat Reader 8.1.1
  • Adobe Acrobat Standard 8.1.1

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High


DESCRIPTION:
Several new security vulnerabilities have been identified in Adobe Reader and Adobe Acrobat. The file format used by both of these products is Portable Document Format (PDF). An attacker can compromise a vulnerable system by convincing the user to open a specially crafted PDF file. The attacker can attempt to convince a user to open the file in a number of ways. The file may be sent as an email attachment or manually downloaded to the local system by the user. Opening the file in either Adobe Acrobat or Adobe Reader will result in exploitation.

Both the Adobe Reader and Adobe Acrobat programs also install the Adobe Reader Plugin, which allows PDF files to be viewed inside a web browser. In most cases, a user will not be prompted before opening a PDF file in a web-browser. Therefore, simply accessing a malicious PDF file on a website can result in successful exploitation.

Adobe has released updates for both Adobe Reader and Adobe Acrobat which address all of the reported vulnerabilities.

Reports of public exploitation of at least one of these vulnerabilities have been confirmed by multiple Internet sources.


RECOMMENDATIONS:
We recommend that the following actions be taken:

  • Users should upgrade to Adobe Acrobat 8.1.2 and/or Adobe Reader 8.1.2 after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not visit unknown or un-trusted Web sites or click on links provided in an email.

REFERENCES:

Adobe:
http://www.adobe.com/support/security/advisories/apsa08-01.html(External Link)

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0655(External Link)

US-CERT:
http://www.us-cert.gov/cas/techalerts/TA08-043A.html(External Link)

SANS:
http://isc.sans.org/diary.html?storyid=3958(External Link)



This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.