MS-ISAC ADVISORY NUMBER:
2009-008

DATE(S) ISSUED:
2/20/2009

SUBJECT:
Vulnerability in Adobe Reader and Adobe Acrobat Could Allow Remote Code Execution

OVERVIEW:

A new vulnerability has been discovered in the Adobe Acrobat and Adobe Reader applications that allows attackers to execute arbitrary code on the affected systems. Adobe Reader allows users to view Portable Document Format (PDF) files. Adobe Acrobat offers users additional features such as the ability to create PDF files.

Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Unsuccessful exploitation attempts may cause these programs to crash.

It should be noted that this vulnerability is being actively exploited on the Internet.

SYSTEMS AFFECTED:

  • Adobe Reader 9 and earlier versions
  • Adobe Acrobat Standard, Pro, and Pro Extended 9 and earlier versions

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Adobe Reader and Acrobat are prone to a remote code execution vulnerability. The exploit is a two-stage attack. The malware exploits an integer overflow and then uses JavaScript to execute a heap spray to inject shellcode. A heap spray attempts to inject code into the memory of a target process. Testing by Shadowsever has shown that disabling JavaScript in Adobe will defeat the remote code execution but still result in denial of service.

The exploit is being seen in targeted attacks but is expected to become more widespread. Some anti-virus vendors currently detect this exploit. Trend Micro detects it as TROJ_PIDIEF.IN. Symantec detects it as Trojan.Pidief.E.

Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Patches for other versions with be available later.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Ensure antivirus software signatures are current.
  • Do not open email attachments from unknown or un-trusted sources.
  • Provide user awareness notification about this vulnerability and exploit.
  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Consider disabling JavaScript in Adobe by navigating to Edit->Preferences and unchecking 'Enable Acrobat JavaScript'.
  • Install the appropriate vendor patch as soon as it becomes available after appropriate testing.

REFERENCES:
Adobe:
http://www.adobe.com/support/security/advisories/apsa09-01.html(New Window)

McAfee:
http://www.avertlabs.com/research/blog/index.php/2009/02/19/new-backdoor-attacks-using-pdf-documents/(New Window)

SANS:
http://isc.sans.org/diary.html?storyid=5902(New Window)

Security Focus:
http://www.securityfocus.com/bid/33751(New Window)

Shadowserver:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219(New Window)

Trend Micro:
http://blog.trendmicro.com/portable-document-format-or-portable-malware-format/(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.