Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Security Bug Bites Adobe Reader



 By: Brian Prince
2008-11-04
Article Rating:starstarstarstarstar / 4


There are 1 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Core Security Technologies uncovered a flaw in Adobe Reader that could allow an attacker to take control of a vulnerable system. Adobe has reportedly fixed the issue, and a security update is on the way today.

UPDATE: Adobe has patched a critical flaw in its Adobe Reader PDF-file browsing software that could allow hackers to take control of a compromised system.

Researchers at Core Security Technologies found the vulnerability in Adobe Reader 8.1.2, but believe earlier versions may be affected as well. The flaw lies in the way Adobe Reader implements the JavaScript util.printf() function, and can be exploited with a specially crafted PDF file with malicious JavaScript content.

The patch for the issue is available here. The bug also affects Acrobat 8.1.2. Adobe Reader version 9, released in June, is not vulnerable to the problem.

So far, no attacks exploiting this issue have been seen in the wild by Core Security, Ivan Arce, the company's CTO, told eWEEK.

Resource Library:

Basically, an attacker can take full control of the vulnerable endpoint computer, users running Adobe under unprivileged user accounts are slightly better than those that use accounts with full privileges, Arce explained.

The issue was uncovered by a researcher with Core Security while investigating a similar bug affecting Foxit Reader. After an initial examination of the bug, it was believed the issue was not exploitable in Adobe Reader due to the use of two structured exception handlers in the program. Since there seemed to be no way to control Adobe Reader's first exception handler, it appeared at first glance as if the bug was not exploitable.

Further examination, however, proved otherwise; another overflow occurs before the call to the involved code is made in relation to the previously known vulnerability.

According to Core Security, the JavaScript util.printf() function first converts the argument it receives to a String, using only the first 16 digits of the argument and padding the rest with a fixed value of 0 (0x30). By passing an overly long and properly formatted command to the function, it is possible to overwrite the programs memory and control its execution flow.

We've discovered and tested the bug on Windows operating systems, Arce said. The bug is present in Adobe 8.1.2 across all supported platforms, but we did not investigate exploitability on other operating systems such as Unix, Linux or Mac OS X. Our research was closely related to the way Adobe Reader uses Structured Exception Handling (SEH) on Windows platforms, so exploitability may be substantially different or even not possible on other platforms.

There is a workaround for the bug - users can disable JavaScript functionality in the softwares Edit|Preferences menu.

Disabling JavaScript may have a significant impact on functionality commonly used in corporate environments or for business purposes, Arce conceded. That is why we waited for the patch from the vendor to be ready and on only included disabling of JavaScript as a workaround in case installing the patch or upgrading to Adobe Reader 9 isn't possible.

UPDATE: This story has been updated to include the release of Adobe's patch, as well as additional information about the vulnerability.





  Reader Comments: Security Bug Bites Adobe Reader
>>> Post your comment now!
Core Security Vulnerability Advisory
Here's a link to the actual Core Security vulnerability advisory on the CoreLabs homepage:...
Posted At: 11-04-08
By: Matt Hines
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}r۸j9km]mGJɖlkŶ,%^I*EAER5s'ˮO7t%_2TlFwh4~ 'I">41p3ݩ3I]"I~x(7So92p!j9%G jY)a]̱]׫y(,Q  tjGt0]2xԴ;s:&gves/cߨ:`&`1Z!qF٤XC#: rסyG`nZN<Q܇CѺ8YQw,sxHGH*'x8սi/DeO^b&{By45;^7W;0Ba5w0vˡ黖>? 1nCUVekV}lvy!rs#g ݻHmH%;_qؓ:IuhlUD`iRi13 L5LÑcPp,ǃ) TQ3#}jZ3uk-3G@ؾ!# 3EuL_FBԿ$f…05g?LG`B'lǦ" 'm_j|tv93{x@ffrdHU o~c> C xz`:vxtTa_dY f42ۼMٰn5TתrXJq~/^ߛй-Ӟ=89npoZ×RV5MQ/ ? ?th;XCRy] > EeS<>si^/;YHM~gDR˅4D>-ĆYu_G5](E~o[MR=4,f3} 3+i3*,GQ)?[Zu"uuY6f0ZhCA+tV?#;ӠjqsҼyi_6;7]rҹ&֧qٙyNt8ڟl3Hk*}k! vb M 4}GVK{Ss|"޺xt>&9Io Dz5ɿz۾Bdu#7{ReQ o0ǚ !%9)":sP;H}ڊNm҄Crƒ) tK3;nZK=0[-RFp&\ Дag8gMab&DJH7є6)`I˪ TI%嗋mQq>]R${3BDȝ`g@ A.r)#t 6=aL+^뻹(4,j 8N֛esJVt];zaZTpx=׭&^u.tv-xX18,]evb`\77Jy?6Ra^TUG'Cf[Ԗ-Pò˔u}x? } aO>uٴ6m;4}t>჎$>hƋMrnLLrӇ{u4@{ݣn]=&tfo7,AbCR߭}0CGE 6!v|3c)м`yna23C?F{7t t,/G`\@Z8`$8ʼ E]qb3B7}`Nt&̠>x?ɜ+) )@FHC}Nt"AђF *4 gs#X"C"'Gs`[X;;.VKŤ\*y"JM':ΝWKRx&,S,BV-KᗄPf%i2mlƪń(VFNl(0Vn)eg HlYWo%,~k%fcP*ouRaO_&&ےx A-ʘŗZZG"JMP>V "Cɣ($me6L6;6Ϟ#}nvP jrAj#SaIZObs˖@@@wh߆؊-rij68:ȃX麞~o푛ɸ6X*lфː ;qM cO7,h8)4&61Sbp=PF˸Fq,@XĞ]FCǚO]SWa0H w.}1Gl2\Z歰C=1Չf*3a2TMkN:6R^-!寺0kaT5w^:J3:?b + ;0E<& {Hemy`/cҧ8@ĺ7o`!hj_7`sk'bh!.־7 X=0`6Y4 9\RӲSL jf h> G3DžR2ρްkMFMS؇Qcm/jRٯTʚ5^ 쥨mhDQD hα{t;bG gI,B3]xbbU?3>(/M3$J1N*,7؄ATS3ExjC~ =o UjGpSV3WnU=|U2uMt0a 3ߛ`}lęAkF D;3l} &CJAy^ӀBD]lVE#uyf39aؠGsHR11 ZH$;}'C> Pk-.@"c]f.k<]~oLQXx}[VUO5ỵV1# e 46-.wEЋֶ7 i&!l؞MGe"7";*pbX0٩˕2~s kRUˇFWH=YT\SG~=}Hc'c\kxmb6=Z"⣤j4 J7Ϣ C.;͂Fp]F! g6KBb;?ͥ57cXOBB59(` K% 2_vnESA) u0]6%-:o\!Lc̚e$q*KZ&@ulʪVW%ӴI>N}1ʃQaߍuRԣk}3݀+L)߱q̇5sg\Դ"hw ĶRs?'̅B.pu ( rA-ã, (d0rY+`?&ɠK= j ;!9(| S nCMx)=A`?qp-<91=QUaNT+ʬy48&C ^\}ۅ^?hUeabdE1 7cyJ~Zg'7= SbM2;?RXn)hlsٓNxe?[t۽v!9kOzQ~ZrvXj\S0CHf_tH`)/-~gqA/PAS):*9Q/0[LӷoHW蘧Y;GD_q-5sz4~&,\1Z9nl"=B2^'68]h)9IB"0xc|.A-H7ԺN9 s8v)fTxi'> ^ax!w, q%՝b" rAٸEO,r--̑sS)|AGJ脊fye5))eH5NRMLC]OC/($;kB:xs ݫgaM6mn3j/Nn_",-Y+L#/i\A1Ǎp",G7Dh CT䵤 g[YUHN~,stH1|<ƃFs? "L-r@~A>?uW$ݙf0iF3ƍ`'awʜW#}`Z ?Y ./}v6g>&k>dNƄ `ֳs4GϝO(|i;<6lM`<%U] ?8~InL<:㪏UjC`ayE<.ďg%Cg6!H׺&Ͻ3P+]Ƃ'z =G7om\>e>x>HАߙc=p8#M_^tۭݷؓ ǻoc$Ǯv'ݻw~Zؖ[q*A-wC<3L>?Jdc: M"I^U֩UdU)I]YD)?8b[`@L6CGځ;-3(lm3{F-8_2{K7Kx=*~#{'kLw.GGpSxw{Ze%QJW=(q @kjiAr\<~^YZ䑽DXHڽ]cg[#D:*pc޸O<{cZy‡i襖79wB#AVާA#,0eRK˭Q^'\/_wz̹'=}4&Sn=P~5LZ|[0/B=өioAwxY[Y2]lj.eY"$P@^ူWh̆Եv:yOehvy);R^G1umˈ{plf`܂Kו{xL},YP fY$ =̃r`9TQ,IOKo1a:BȂҎ $@-)bC! &.0 ,3pex9@Lv]G,3JCVD;-ła5 n$_?&x/X/郒%W}ޮ8wwD(G>0vJՂZ^$К\cɽXzLxE¦Qb8hg(K(Jo/ƀl7s4L/C C(˺Eo]{+Vf[$%z\3^f!!t @vj1b(!( onJVP{1 77o9_C#YK”h9G{i_*%Es"L#|ǸC旘Y!]KPz.= AAńDFS2Ek"1Mk.']![T%Ua V^UԤwr\)}t$Fx gQ݇g?TEkIS#TѪbCq: GB؄&W@'Z^! 7eF\#QYoŵȵ)^\qsCKa-̂\:Ru\J+dz/dckG4+nMۖI-l|Wb 8҉dvHW0Bڃ-&*?ʈ nMEa§ěy%(l[rRMJ\ t Yh=cB"!%iA},m؊86/P7f09M}.;L㇑I z4Kؗ,g \'j/|rlzb=6<lg* 7|_kʋs)Tz xRALahAMI~ eT"e,)؄& 6᰿-|>B<"eH.±R~i_Ts ?=ӱzy/uw4Y(+Q飏G: KsbKYHIV”}M6ՓO>ٵaI 63q<ϢY06sd_FR]*VRkX,BI}r1'om6*^kD 78igx݋PtkEZa*RXcJf%" _$?m잏q$Ï#YΆcbVZչGysJ;3 %xv?TgayX ! x$G<㙭q EcIRrVA`6]LzgО]ENx-Xfl B$D61$R;\*Z'Q7g8M_>8+߶ 3 f{<1qn|% ֥4s%52GB8md.7a1,/%тڒ*'5C7ɣy;';';';'qdy_֜kڸ'9p,;pj&T:o,L] $|kLcz 9!|e&XfV,~}7@= ]Tt|:|x>tc8 ȭŨ}{kv۽8ZKx}QJ<0XZ_z׏iG! ?tF0qI,AuyT?Yhױ)u%ak1{#5?.t YVD u #=fz ABZ<'q.]-LXM֗&P@Hr! /Acl{7.u`A0D8xB[ׁu̐3@cCı 2it?oGTȰ l\22Gk=^a“y pƗҊ>[/sty/3v҃V»^r]L]1 rφcX܀qoquSnDo6_m:GonJSu]Lg;QB|-^_FBgG}{˼ X` ZNړʹiİO2wb%1Y~GjOQ5yy.F/ PCnx/15n;*hǿeãEU\So|֊[N[iΞCm%\k6=QiH:ڀRIclRykݰ>;PAgt~D)%t?^(-Y?`P}d˧1V sne2QQ Q?Dw).u;8q'5&&>y| [Dx Q)෋.Bo7N Gvqxr7E/?h _V֌rc[Ate^RTQe~ۘGZj>At3#mz^C GJk&pVy k+mLxY8Ow| 􄼥޼vgO%YՉH,ݾ]*<5&<mQNa)o~c,mWw,w,A|lMᗚkn烔KpʭBף:F̹OMD0FU 2jC7Cy^SLcGVRѪErR4Һv6/kc şv ,TOಈ֞uζücn?y r Ys~RtucoI XPp³MA+WTD~*N ̋XL t4*$:=$wzJ̥7b?= sN8}Mǃ"Ba=X *>IoH!H]U# `xL(zhM뵮aC;3&2[h`#oM}NG7 |Ec 'lI<R?u YVzCy–s\vf+Uֽ?g7L>O>B8!i oZeWW ƈn_fa@p=Sq-1Șh MQ VHxDirvtVnOK!Ls6@@P0H7c=gJp24G#1C+x 6ӆ{(m'_A1(J$U,%" vqY@y#LL݂zĂ![C P71MF·:{3 ӱOi0qsXg- .E.[q{'+[X$Ln 0YK7`C'[jEY|ob{LgA~,K.usx\jHO<$Ѕ:y,@#!9ω k$c 3úޝ/#}|AaPZ  +z+U'I]Ui_)9CȮ KDU8l|.O:jY,f/c/\iBR. ?$-GF쌆=xɺx u0 }a3brMt?4sM"ݏGUݹ$G U¶V-r5uu;WOڗe/W?1=1 kyl2/*vg(P\6.ZNQʩ`Q{̵,<^;OKvE Ccqq^ L/'Q?B)Qe3ʋ QW~c8ec"l^]-Zq YW'>;bfhw>t{r:X)` чZIe s_bQ:oH粕&5+8v<(2ʿ@k(^_~NmdwQ[_4[P~sASiFO?Bg\͌r_;i_fC?t3?C<>v/2Y\d"?/?/2e2OP) 2(rˌ̐Kˌ@;dN~+x*k  7_/z/1>ArS~~2w7Y7{dwɹN2!(odY NoT8G\(_JeYW@a uyQ@yJ2,c2\. f{9;[?_Wǝfr]!,.5PUZk /Y[Sݴq uQ"[~|^Y݉P=v# ߊD,z e%Hi_1\@dY8Ï }Cpzusʱ E.\3EٰkS_!N"iX3!?c7ITgAz_?\vi }eF`O]WvBaIg ie9}0DaO,|Ŷ/!aBc M=X`ǹ~rh`=E(aOezlw9k+Ȁ7H>Y;D,5Rb:(=zk|FXKLMhc{pfi#fSS3 {τ ixv4<1T<nh1)d'kI '60MÄr-"5poq-yeיJ pKg8 g!0X^ZpTT/>%hw2b5_yfOȅ^`\YG7nykb ~g!'˞tҸh>!U7/>!2D!6xVws޹ҍ[^z8pzxٔŠҜ%!t4!ջj4dEg 6A|>Ðy6xL kkV*wV㛼VtƢI:*d_)V ]jv[W셳Qbmئ4*d.%rR⊫+EiQ}*' Cfan%nǝl| n%96L]_[ P9`)