Adobe Acrobat JavaScript flaw exploit in the wild

By Ed Oswald | Published June 24, 2008, 11:57 AM

Computer researchers at Johns Hopkins University have discovered a flaw within most recent version of Adobe's Reader and Acrobat software applications that could allow hackers to take control of vulnerable systems.

"Adobe categorizes this as an critical issue and recommends affected users update their installations," Adobe said in an advisory today.

There are reports that the exploit is in the wild, which both Adobe and security firm Secunia appear to be taking seriously.

The problem affects Acrobat and Reader versions 7.0.9 and earlier, as well as versions 8.0 through 8.1.2. Adobe disclosed the vulnerability on Monday in conjunction with the release of a security update for the current version, which is 8.1.2.

Users of version 7.1 are not affected by the vulnerability, and Adobe says Acrobat and Reader 9 which are due out in July are also immune.

According to a security bulletin by SecurityFocus, user input is not sanitized correctly. Essentially, an attacker could launch code remotely, which would in turn allow him to take control of an affected system.

More specifically, the problem is related to an input validation issue with JavaScript usage in either product. Indeed, JavaScript can be embedded in PDF files, so a JavaScript problem need not necessarily be browser-based.

SecurityFocus said the issue could be related to another earlier reported flaw late last month which involved a remote denial-of-service issue. At the time it was not known if code execution would be possible. That flaw affected similar versions of Adobe Reader.

Comments

Noscript extension for Firefox = awesome

Also I still hate PDF for being a proprietary format.

Score: 0

|

I just tried this patch and it doesn't do anything after install. Doesn't show up in add/remove programs either...

Score: 0

|

Adobe is calling this "Security Update 1" and leaving the product version at 8.1.2, so the existing Add/Remove entry for 8.1.2 is all that you will see. You cannot remove SU1 without removing 8.1.2 completely. You can tell that SU1 is installed by looking at the value named VersionSU in the registry key HKLM\SOFTWARE\Adobe\Adobe Acrobat\8.0\Installer and/or HKLM\SOFTWARE\Adobe\Adobe Reader\8.0\Installer (depending on whether you've got full Acrobat and/or the Reader). The value will be missing if SU1 is not installed, or 1 if installed. Presumably, it could be bumped to 2 if they do another SU for 8.1.2.

The Annots.api file (a plug-in) is updated to build 215 (version 8.1.2.215). This is the only real change to the application code. There are some other changes made to your system by the patch but their purpose is just to adjust the Windows Installer database so that a "repair" will not revert Annots.api to the vulnerable release.

Score: 0

|

Sloppy. Why no confirmation of the patch? It just disappears...

Score: 0

|

What do you want? It requires a click to dismiss the dialoge box after install. And the previous poster gave you instructions on how to verify.

Score: 0

|

I don't understand why they didn't just bump the version to 8.1.3 (even for this small fix) - far less confusing, and it hints to 8.1.2 users that they're not "up-to-date".

Score: 0

|

Well, As I suspected the update is broken. After I apply it Acrobat still wishes to update using the auto-update mechanism.

Score: 0

|

"Adobe categorizes this as an critical issue and recommends affected users update their installations," Adobe said in an advisory today."

It an critical. They has fail!

Also: what security update? Doesn't seem to be available through the update feature in Adobe Reader.

Score: 0

|

yes adobe is very clearly a cat with a slice of american cheese on its head.

Score: 0

|

LOL
CAT

/please excuse me

Score: 0

|

I can't help Adobe's grammar is bad, I quote it as we see it. But we will edit their grammar just for you Paul. :)

Score: 0

|

It is as of 7:40 PM PT.

Score: 0

|

Can Linux do BitLocker better than Windows 7?

Betanews kicks off a new series with a look at how the Linux operating system's FDE stacks up against BitLocker, the Windows feature that today commands a $120 premium.

Firefox 3.5: The need for speed

This has been the big payoff week for Mozilla's developers, who worked overtime to squeeze out the last drop of performance from their new JavaScript engine.

'GeoHot' gets a shower, cleans up nice, reveals new iPhone 3G S jailbreak

Either puberty has been very kind to the author of the new 'Purple Ra1n' jailbreak tool, or George Hotz may also have some adequate Photoshop skills.

What's Next: Obama gives 'Einstein' the go-ahead, while China gives 'Green Dam' a thumbs-down

Plus: If you put up a Web site and name it after you and you're a federal judge, you might not want a bunch of weird nudity hanging around on it.

Why would Windows 7 customers spend $120 more for BitLocker?

For pre-orders from now until July 11, Microsoft is offering the Windows 7 Professional SKU for a very steep discount. So why invest in Ultimate?

Geeks vs. journalists: A tale of two worldviews

Recovery with Angela Gunn Why geeks think most mainstream journalism is flaky, and why the mainstream thinks geeks are trying to kill them. (They're both right.)

Fire in downtown Seattle data center knocks out businesses, online services

Small fire has global impact with payment centers, city services down.

Hybrid satellite cell phones aren't far off

The first satellite in Terrestar's hybrid cellular/satellite phone network has been launched.

SMS could be a critical iPhone vulnerability, says white-hat hacker

Mac hacker Charlie Miller knows how to get into your iPhone.

Will Oracle's Java-based Fusion middleware 'fuse' with Java?

Now that Oracle has acquired Sun Microsystems, Java developers and supporters are wondering when Oracle will formally welcome Java into the family.

All together now: iPhone and Palm Pre, likely to both grace O2's UK portfolio

European wireless network operator O2 has reportedly reached a deal to exclusively carry the Palm Pre in the UK. O2,...

Vista's dead: Microsoft kills an OS and no one cares

Carmi Levy: Wide Angle Zoom Can you kill an operating system? Microsoft is about to find out.

Kantaris Media Player 0.5.7

July 3 - 5:34 PM ET

Wine 1.1.25

July 3 - 5:30 PM ET

ChrisTV Online! Free 4.00

July 3 - 5:22 PM ET

glu 1.0.19 RC1

July 3 - 5:11 PM ET

Website-Watcher 5.1.0 Beta 10

July 3 - 1:20 PM ET