Security Bug Bites Adobe Reader

Core Security Technologies uncovered a flaw in Adobe Reader that could allow an attacker to take control of a vulnerable system. Adobe has reportedly fixed the issue, and a security update is on the way today.

UPDATE: Adobe has patched a critical flaw in its Adobe Reader PDF-file browsing software that could allow hackers to take control of a compromised system.

Researchers at Core Security Technologies found the vulnerability in Adobe Reader 8.1.2, but believe earlier versions may be affected as well. The flaw lies in the way Adobe Reader implements the JavaScript util.printf() function, and can be exploited with a specially crafted PDF file with malicious JavaScript content.

The patch for the issue is available here. The bug also affects Acrobat 8.1.2. Adobe Reader version 9, released in June, is not vulnerable to the problem.

So far, no attacks exploiting this issue have been seen in the wild by Core Security, Ivan Arce, the company's CTO, told eWEEK.

"Basically, an attacker can take full control of the vulnerable endpoint computer, users running Adobe under unprivileged user accounts are slightly better than those that use accounts with full privileges," Arce explained.

The issue was uncovered by a researcher with Core Security while investigating a similar bug affecting Foxit Reader. After an initial examination of the bug, it was believed the issue was not exploitable in Adobe Reader due to the use of two structured exception handlers in the program. Since there seemed to be no way to control Adobe Reader's first exception handler, it appeared at first glance as if the bug was not exploitable.

Further examination, however, proved otherwise; another overflow occurs before the call to the involved code is made in relation to the previously known vulnerability.

According to Core Security, the JavaScript util.printf() function first converts the argument it receives to a String, using only the first 16 digits of the argument and padding the rest with a fixed value of "0" (0x30). By passing an overly long and properly formatted command to the function, it is possible to overwrite the program's memory and control its execution flow.

"We've discovered and tested the bug on Windows operating systems," Arce said. "The bug is present in Adobe 8.1.2 across all supported platforms, but we did not investigate exploitability on other operating systems such as Unix, Linux or Mac OS X. Our research was closely related to the way Adobe Reader uses Structured Exception Handling (SEH) on Windows platforms, so exploitability may be substantially different or even not possible on other platforms."

There is a workaround for the bug - users can disable JavaScript functionality in the software's Edit|Preferences menu.

"Disabling JavaScript may have a significant impact on functionality commonly used in corporate environments or for business purposes," Arce conceded. "That is why we waited for the patch from the vendor to be ready and on only included disabling of JavaScript as a workaround in case installing the patch or upgrading to Adobe Reader 9 isn't possible."

UPDATE: This story has been updated to include the release of Adobe's patch, as well as additional information about the vulnerability.