MS-ISAC ADVISORY NUMBER:
2008-035

DATE(S) ISSUED:
11/4/2008
11/10/2008 - Updated

SUBJECT:
Multiple Vulnerabilities Discovered in Adobe Reader and Adobe Acrobat

OVERVIEW:
Several security vulnerabilities have been identified in Adobe Reader and Adobe Acrobat. Adobe Reader allows users to view Portable Document Format (PDF) files. Adobe Acrobat offers users additional features such as the ability to create PDF files. These vulnerabilities can be exploited if a user opens a malicious PDF file. Successful exploitation will result in an attacker gaining complete control of the affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

UPDATED OVERVIEW:
It has been reported that one of the vulnerabilities is actively being exploited on the Internet.

SYSTEMS AFFECTED:

  • Adobe Acrobat Reader 8.1.2 and earlier
  • Adobe Acrobat Standard/Professional/3D 8.1.2 and earlier

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Several new security vulnerabilities have been identified in Adobe products. The file format used by all of these products is Portable Document Format (PDF). Opening a malicious PDF file in either Adobe Acrobat or Adobe Reader will result in exploitation.

The reported vulnerabilities include remote code execution, denial of service, privilege escalation and modification of user settings. Successful exploitation will result in an attacker gaining complete control of the affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

Both the Adobe Reader and Adobe Acrobat programs also install the Adobe Reader Plug-in, which allows PDF files to be viewed inside a web browser. In most cases, a user will not be prompted before opening a PDF file in a web-browser. Therefore, simply accessing a malicious PDF file on a website can result in successful exploitation.

Adobe has released updates for both Adobe Reader and Adobe Acrobat which address all of the reported vulnerabilities.

 

UPDATED DESCRIPTION:
It has been reported that one of the vulnerabilities is actively being exploited on the Internet. A trojan is currently being served from infonews.athena.cx but may come from other sources. Once the exploit is triggered, it will attempt to contact a server at adxdnet.net to download additional malware. Current anti-virus detection is very low.

 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Upgrade to Adobe version 8.1.3 or 9.
  • Do not visit unknown or un-trusted Web sites or click on links provided in an email.
  • Do not open email attachments from unknown or un-trusted sources.

UPDATED RECOMMENDATIONS:

  • Block access to infonews.athena.cx (203.119.12.197) and adxdnet.net (85.17.162.100).

REFERENCES:

Adobe:
http://www.adobe.com/support/security/bulletins/apsb08-19.html(New Window)

Secunia:
http://secunia.com/secunia_research/2008-14/(New Window)

SecurityFocus:
http://www.securityfocus.com/bid/32100(New Window)

UPDATED REFERENCES:
Symantec
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-110718-5133-99(External Link)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.