UPDATE: Adobe has patched a critical flaw in its Adobe Reader PDF-file browsing software that could allow hackers to take control of a compromised system.
The patch for the issue is available here. The bug also affects Acrobat 8.1.2. Adobe Reader version 9, released in June, is not vulnerable to the problem.
So far, no attacks exploiting this issue have been seen in the wild by Core Security, Ivan Arce, the company’s CTO, told eWEEK.
“Basically, an attacker can take full control of the vulnerable endpoint computer, users running Adobe under unprivileged user accounts are slightly better than those that use accounts with full privileges,” Arce explained.
The issue was uncovered by a researcher with Core Security while investigating a similar bug affecting Foxit Reader. After an initial examination of the bug, it was believed the issue was not exploitable in Adobe Reader due to the use of two structured exception handlers in the program. Since there seemed to be no way to control Adobe Reader’s first exception handler, it appeared at first glance as if the bug was not exploitable.
Further examination, however, proved otherwise; another overflow occurs before the call to the involved code is made in relation to the previously known vulnerability.
“We’ve discovered and tested the bug on Windows operating systems,” Arce said. “The bug is present in Adobe 8.1.2 across all supported platforms, but we did not investigate exploitability on other operating systems such as Unix, Linux or Mac OS X. Our research was closely related to the way Adobe Reader uses Structured Exception Handling (SEH) on Windows platforms, so exploitability may be substantially different or even not possible on other platforms.”
UPDATE: This story has been updated to include the release of Adobe’s patch, as well as additional information about the vulnerability.