MS-ISAC ADVISORY NUMBER:
2009-024

DATE(S) ISSUED:
5/13/2009

SUBJECT:
Vulnerabilities in Adobe Reader and Adobe Acrobat Could Allow For Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in the Adobe Reader and Adobe Acrobat applications that could allow attackers to execute arbitrary code on affected systems. Adobe Reader allows users to view Portable Document Format (PDF) files. Adobe Acrobat offers users additional features such as the ability to create PDF files. Recently there have been multiple vulnerabilities and related updates announced by Adobe.

Depending on the privileges associated with the user, an attacker could exploit these vulnerabilities to install programs; view, change, or delete data; or create new accounts with full user rights. Unsuccessful exploitation attempts may cause these programs to crash.

It should be noted that these vulnerabilities are currently being exploited on the Internet.

SYSTEMS AFFECTED:

  • Adobe Acrobat Professional 9.1 and earlier versions
  • Adobe Acrobat Standard 9.1 and earlier versions
  • Adobe Reader 9.1 and earlier versions

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Multiple vulnerabilities have been discovered in the Adobe Reader and Adobe Acrobat applications that could allow attackers to execute arbitrary code on affected systems. One vulnerability is caused by an error in the 'getAnnots()' Javascript function. The other vulnerability occurs due to an error in the 'spell.customDictionaryOpen()' Javascript function. An attacker can leverage either of these vulnerabilities by crafting a malicious PDF file and distributing it via a web-accessible location, or by email. When a user opens the malicious PDF file the attacker's code is executed.

Depending on the privileges associated with the user, an attacker could exploit these vulnerabilities to install programs; view, change, or delete data; or create new accounts with full user rights. Unsuccessful exploitation attempts may cause these programs to crash.

Adobe has released updates for Adobe Acrobat Standard and Professional, and Adobe Reader to address these vulnerabilities.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • To mitigate this issue, those running Adobe Reader, Adobe Acrobat Standard and Professional versions 7.1.1, 8.1.4, or 9.1 should update to versions 7.1.2, 8.1.5, or 9.1.1 immediately after appropriate testing.
  • Consider disabling JavaScript in Adobe by navigating to Edit->Preferences and unchecking 'Enable Acrobat JavaScript'.
  • Ensure that all anti-virus software is up to date with the latest signatures.
  • Do not open email attachments from unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by attachments and hypertext links contained in emails especially from un-trusted sources.
  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:
Security Focus:
http://www.securityfocus.com/bid/34736(New Window)
http://www.securityfocus.com/bid/34740(New Window)

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1492(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1493(New Window)

Adobe:
http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html(New Window)
http://www.adobe.com/support/security/advisories/apsa09-02.html(New Window)
http://www.adobe.com/support/security/bulletins/apsb09-06.html(New Window)

Secunia:
http://secunia.com/advisories/34924/(New Window)

US-CERT:
http://www.kb.cert.org/vuls/id/970180(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.