MS-ISAC ADVISORY NUMBER:
2009-008 Updated

DATE(S) ISSUED:
2/20/2009
3/11/2008 - UPDATED
3/18/2009 - UPDATED
3/25/2009 - Updated

SUBJECT:
Vulnerability in Adobe Reader and Adobe Acrobat Could Allow Remote Code Execution

ORIGINAL OVERVIEW:

A new vulnerability has been discovered in the Adobe Acrobat and Adobe Reader applications that allows attackers to execute arbitrary code on the affected systems. Adobe Reader allows users to view Portable Document Format (PDF) files. Adobe Acrobat offers users additional features such as the ability to create PDF files. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Unsuccessful exploitation attempts may cause these programs to crash.

It should be noted that this vulnerability is being actively exploited on the Internet.

MARCH 11 UPDATED OVERVIEW:
New attack vectors have been discovered which enables the attacker to execute code on the remote system without any user interaction.

Adobe has released an update for customers using Adobe Reader 9. Updates for Adobe 7.x and 8.x should be available March 18, and for Unix on March 25.

MARCH 18 UPDATED OVERVIEW:
Adobe has released an update for customers using Adobe Reader 7.x and 8.x.

MARCH 25 UPDATED OVERVIEW:
Adobe has released an update for customers using the affected Adobe products on Unix Systems.

SYSTEMS AFFECTED:

  • Adobe Reader 9 and earlier versions
  • Adobe Acrobat Standard, Pro, and Pro Extended 9 and earlier versions

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

ORIGINAL DESCRIPTION:
Adobe Reader and Acrobat are prone to a remote code execution vulnerability. The exploit is a two-stage attack. The malware exploits an integer overflow and then uses JavaScript to execute a heap spray to inject shellcode. A heap spray attempts to inject code into the memory of a target process. Testing by Shadowsever has shown that disabling JavaScript in Adobe will defeat the remote code execution but still result in denial of service.

The exploit is being seen in targeted attacks but is expected to become more widespread. Some anti-virus vendors currently detect this exploit. Trend Micro detects it as TROJ_PIDIEF.IN. Symantec detects it as Trojan.Pidief.E.

Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Patches for other versions with be available later.

MARCH 11 UPDATED DESCRIPTION:
New attack vectors have been discovered which enables the attacker to execute code on the remote system without any user interaction.

Adobe has released an update for customers using Adobe Reader 9. Updates for Adobe 7.x and 8.x should be available March 18, and for Unix on March 25.

MARCH 18 UPDATED DESCRIPTION:
Adobe has released an update for customers using Adobe Reader Adobe 7.x and 8.x.

MARCH 25 UPDATED DESCRIPTION:
Adobe has released an update for customers using the affected Adobe products on Unix Systems.

ORIGINAL RECOMMENDATIONS:
We recommend the following actions be taken:

  • Ensure antivirus software signatures are current.
  • Do not open email attachments from unknown or un-trusted sources.
  • Provide user awareness notification about this vulnerability and exploit.
  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Consider disabling JavaScript in Adobe by navigating to Edit->Preferences and unchecking 'Enable Acrobat JavaScript'.
  • Install the appropriate vendor patch as soon as it becomes available after appropriate testing.

MARCH 11 UPDATED RECOMMENDATIONS:

  • To mitigate this issue, those running Windows and Adobe 9.0 should upgrade to Adobe 9.1 immediately after appropriate testing. Updates for Adobe 7.x and 8.x should be available March 18, and for Unix on March 25.

MARCH 18 UPDATED RECOMMENDATIONS:

  • To mitigate this issue, those running Windows and Adobe 7 and Adobe 8 should upgrade to Adobe 7.1.1 or Adobe 8.1.4 immediately after appropriate testing.

MARCH 25 UPDATED RECOMMENDATIONS:

  • To mitigate this issue, those running Unix and Adobe 8 or Adobe 9 should upgrade to Adobe Reader 8.1.4 or Adobe Reader 9.1 immediately after appropriate testing.

ORIGINAL REFERENCES:
McAfee:
http://www.avertlabs.com/research/blog/index.php/2009/02/19/new-backdoor-attacks-using-pdf-documents/(New Window)

Adobe:
http://www.adobe.com/support/security/advisories/apsa09-01.html(New Window)
http://www.adobe.com/support/security/bulletins/apsb09-03.html(New Window)
http://blogs.adobe.com/psirt/2009/03/_adobe_reader_and_acrobat_91_u.html(New Window)

SANS:
http://isc.sans.org/diary.html?storyid=5902(New Window)

Security Focus:
http://www.securityfocus.com/bid/33751(New Window)

ShadowServer:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219(New Window)

Trend Micro:
http://blog.trendmicro.com/portable-document-format-or-portable-malware-format/(New Window)

MARCH 11 UPDATED REFERENCES:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb09-03.html(New Window)
http://blogs.adobe.com/psirt/2009/03/_adobe_reader_and_acrobat_91_u.html(New Window)

SANS:
http://isc.sans.org/diary.html?storyid=5998(New Window)

MARCH 18 UPDATED REFERENCES:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb09-03.html(New Window)

SANS:
http://isc.sans.org/diary.html?storyid=6034(New Window)

MARCH 25 UPDATED REFERENCES:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb09-04.html(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.