Adobe Acrobat and Acrobat Reader Remote Code Execution



A vulnerability in Adobe Acrobat and Acrobat Reader can result in remote code execution.
This vulnerability was discovered being exploited in the wild on Dec. 11, 2009, and publicly acknowledged by Adobe on Dec. 14, 2009.  New in-the-wild PDF variants were discovered by ISS Managed Security Services on Dec. 18, 2009, indicating that this attack is being picked up by more attackers using more traditional obfuscation and attack techniques.

ISS Coverage

Product
Content Version
Network Sensor 7.0
Proventia A
Proventia IPS (G/GX)
Server Sensor 7.0
Proventia Multifunction Appliance
Proventia Server (Linux)
29.121
Proventia Server (Windows)
Proventia Desktop
2461
Propagation Techniques
ISS Protection
Available
remote exploit (in-the-wild samples)


PoCs (public exploit code, not current in-the-wild samples)
Malware (Proventia-M)
JavaScript_NOOP_Sled***
PDF_Stream_Hiding
PDF_JavaScript_Detected*
PDF_Encoded_JavaScript_Tag**
Mal/Behav-027
Mar 24, 2006
Dec 17, 2009
Feb 13, 2008
Apr 14, 2009
* This signature is not blocked by default, because it blocks any PDF containing JavasScript.  However, this signature does detect exploits that are currently in the wild and can be used if your organization wants a lock-down mode to block current exploits.  Additional coverage is under investigation.
** This signature is blocked in the default policy.
*** This signature blocks malicious web pages hosting a new PDF variant discovered by ISS Managed Security Services on Dec. 18, 2009.

Detailed Description

Business Impact:
This vulnerability could result in remote code execution if a victim opens a specially-crafted PDF (portable document format) file.   Adobe Acrobat and Acrobat Reader are vulnerable and, at the time of publication, had no patch available.  Links to these malicious documents can easily be sent through spam or through links on seemingly non-malicious Web sites. Active exploitation led to the discovery of this vulnerability.
CVSS:
Base Score:
9.3

Access Vector:
Network
Access Complexity:
Medium
Authentication:
None
Confidentiality Impact:
Complete
Integrity Impact:
Complete
Availability Impact:
Complete


Adjusted Temporal Score:
8.8

Exploitability:
High
Remediation Level:
Workaround
Report Confidence:
Confirmed
Affected Products:
For a full list of affected versions, see references below.
Technical Description:
Adobe Acrobat and Reader could allow a remote attacker to execute arbitrary code on the system, caused by an unspecified memory corruption error. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to execute arbitrary code with elevated privileges.
Remediation:
At the time of publication, patches were not available.  Customers can deploy security products to block exploits.

References

Adobe:
http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html
http://www.adobe.com/support/security/advisories/apsa09-07.html
XFDB:
http://xforce.iss.net/xforce/xfdb/54747

Revision History

1.0
Initial publication.
1.1
Clarified wording for initial signature coverage.
1.2
Added link to Adobe bulletin.
1.3
Added PoC coverage.

1.4
Added new signature coverage.

1.5
New variants were discovered, caught through the generic Proventia obfuscation signatures used to protect IBM ISS Managed Security Services customers.
View Detail more report Adobe acrobat in shadowserver.org
morekecoak-elektronik

One Response to “c0decstuff”

What's on Your Mind...

Thank f' u C0mment