Adobe Reader and Adobe Acrobat Remote Code Execution
| Notification Type: |
IBM Internet Security Systems Protection Alert |
| Notification Date: |
Feb. 12, 2008 |
| Notification Version: |
1.1 |
| |
|
| Name: |
Adobe Reader and Adobe Acrobat Remote Code Execution |
Public disclosure/
In the wild date: |
Feb. 7, 2008 (vendor vuln disclosure), Jan. 20, 2008 (public exploits), end of Aug. 2008 (widespread exploitation) |
| CVE: |
CVE-2007-5659 and CVE-2007-5663 |
| Description: |
Adobe Acrobat Reader and Adobe Acrobat 8.1.1 and earlier are vulnerable to multiple vulnerabilities that would allow an attacker to execute arbitrary code on a remote system by enticing a user to open a specially-crafted PDF file. One of these vulnerabilities attacked in the wild in Jan. 2008. At the end of Aug., attacks using this vulnerability started picking up and, within a few weeks, have reached widespread exploitation. |
ISS Coverage |
| Product |
Content Version |
|
Network Sensor 7.0
Proventia A
Proventia IPS (G/GX)
Server Sensor 7.0
Proventia Multifunction Appliance
Proventia Mail
Proventia Server (Linux) |
XPU 28.020 |
Proventia Server (Windows)
Proventia Desktop |
2160 |
| BlackICE PC Protection 3.6 |
cqv |
|
| Propagation Techniques |
ISS Protection |
Available |
| web/remote exploit |
Buffer Overflow Exploit Prevention (BOEP)
PDF_JavaScript_Exploit
PDF_JavaScript_Detected
JavaScript_NOOP_Sled |
Base version of Proventia Desktop/Server and RealSecure Server Sensor
Feb 13, 2008 |
|
Malicious program known
to be dropped by PDFs
circulating in the wild
(Zonebac) |
Trojan.Zonebac (Proventia Desktop only)
Troj/Agent-GEP (Proventia M only)
Troj/Agent-EBS (Proventia M only)
Troj/Canida-Fam (Proventia M only) |
June 22, 2007
Oct 23, 2007
Feb 7, 2007
Oct 24, 2007 |
|
|
|
Detailed Description |
| Business Impact: |
This vulnerability could result in remote code execution if a victim opens a specially crafted Adobe Acrobat (.pdf) document in an affected version of Adobe Reader or Adobe Acrobat. As always, ensure that documents like PDFs come from a trusted source before opening them. |
| CVSS: |
Base Score: |
9.3 |
| |
Access Vector: |
Network |
| Access Complexity: |
Medium |
| Authentication: |
None |
| Confidentiality Impact: |
Complete |
| Integrity Impact: |
Complete |
| Availability Impact: |
Complete |
| Impact Bias: |
Normal |
| Adjusted Temporal Score: |
7.7 |
| |
Exploitability: |
Functional |
| Remediation Level: |
Official Fix |
| Report Confidence: |
Confirmed |
| Affected Products: |
For a full list of affected software and versions, see references below. |
| Technical Description: |
XFID 40410 (CVE-2007-5659)
Adobe Acrobat and Adobe Reader are vulnerable to multiple stack-based buffer overflows, caused by improper bounds checking by multiple unspecified JavaScript methods. By persuading a victim to open a specially-crafted .PDF file, a remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the victim or cause the application to crash.
XFID 40424 (CVE-2007-5663)
Adobe Reader could allow a remote attacker to execute arbitrary code, caused by the use of an insecure method in the JavaScript implementation used by the EScript.api plug-in. By persuading a victim to open a specially-crafted .PDF file, a remote attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system with the privileges of the victim or cause the application to crash. |
| Remediation: |
Users can upgrade to 8.1.2 to remediate this vulnerability. Patches for other versions were not available as of Feb. 12, 2008, but were eventually released for 7.0. |
|
References |
|
|
Revision History |
| 1.0 |
Initial publication. |
| 1.1 |
Added information about wide-spread exploitation, updated patch details, and added additional signature coverage information. |
|
|
About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.
|
