• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities

Severity: HIGH

Description:

Adobe Acrobat and Reader are freely available, proprietary applications to handle PDF documents.

The applications are prone to multiple arbitrary remote code-execution and security vulnerabilities:

- A design error can be leveraged to gain unauthorized access to an unsuspecting user's printer. The issue arises in the 'DOC.print()' function because Adobe fails to ignore the 'bUI' and 'interactive' properties outside of batch, console, and menu events. Setting the 'interactive' property to 'silent' will allow printing without asking for user confirmation.

- Multiple stack-based buffer-overflow issues affect JavaScript methods in Reader and Acrobat. The problems occur because the software fails to sufficiently validate a string's length before using it in several JavaScript methods. The 'Collab.collectEmailInfo()' method is affected; other methods are also vulnerable.

- An integer-overflow vulnerability affects the 'printSepsWithParams()' function when handling user-supplied parameter values.

- A vulnerability in the 'EScript.api' plugin (based on the reference implementation used in Mozilla products) can be exploited to execute arbitrary code. The problem occurs because the method allows direct control over low-level features of an object.

- A vulnerability in Reader occurs due to an unsafe library path. A path for 'Security Provider' libraries contains the directory that the application was started in; the path may be used to load a file with the same name as a Security Provider library. This could allow attackers to run arbitrary code.

- Two vulnerabilities affect the 'app.checkForUpdate()' function of the JavaScript API. The first issue allows attackers to bypass certain security restrictions and execute restricted JavaScript functions. This can be achieved by defining and using a callback function. Also, a memory-corruption issue presents itself when the 'new Report()' function is executed inside the callback function. The function tries to run code from unexpected memory addresses. Attackers may be able to exploit this to execute arbitrary code. These issues are reported to affect Adobe Acrobat and Reader 7.

- A vulnerability affecting malformed '.joboptions' files. Font names stored in these files as parameters to the '/AlwaysEmbed' and '/NeverEmbed' commands may produce a heap-based buffer-overflow when they are more than 160 characters long.

Other unspecified vulnerabilities may have also been addressed with the release of Reader and Acrobat 8.1.2. We will update this BID as more information becomes available.

Versions prior to Adobe Acrobat and Adobe Reader 8.1.2 are vulnerable to these issues.

Affected Products:

• Adobe Acrobat 3D
• Adobe Acrobat Professional 7.0.0
• Adobe Acrobat Professional 7.0.1
• Adobe Acrobat Professional 7.0.2
• Adobe Acrobat Professional 7.0.3
• Adobe Acrobat Professional 7.0.4
• Adobe Acrobat Professional 7.0.5
• Adobe Acrobat Professional 7.0.6
• Adobe Acrobat Professional 7.0.7
• Adobe Acrobat Professional 7.0.8
• Adobe Acrobat Professional 8.0
• Adobe Acrobat Professional 8.1
• Adobe Acrobat Professional 8.1.1
• Adobe Acrobat Reader 3.0.0
• Adobe Acrobat Reader 4.0.0
• Adobe Acrobat Reader 4.0.0 5
• Adobe Acrobat Reader 4.0.0 5c
• Adobe Acrobat Reader 4.0.5 A
• Adobe Acrobat Reader 5.0.0
• Adobe Acrobat Reader 5.0.10
• Adobe Acrobat Reader 5.0.5
• Adobe Acrobat Reader 5.1.0
• Adobe Acrobat Reader 6.0.0
• Adobe Acrobat Reader 6.0.1
• Adobe Acrobat Reader 6.0.2
• Adobe Acrobat Reader 6.0.3
• Adobe Acrobat Reader 6.0.4
• Adobe Acrobat Reader 7.0.0
• Adobe Acrobat Reader 7.0.1
• Adobe Acrobat Reader 7.0.2
• Adobe Acrobat Reader 7.0.3
• Adobe Acrobat Reader 7.0.4
• Adobe Acrobat Reader 7.0.5
• Adobe Acrobat Reader 7.0.6
• Adobe Acrobat Reader 7.0.7
• Adobe Acrobat Reader 7.0.8
• Adobe Acrobat Reader 7.0.8
• Adobe Acrobat Reader 7.0.9
• Adobe Acrobat Reader 8.0
• Adobe Acrobat Reader 8.1
• Adobe Acrobat Reader 8.1.1
• Adobe Acrobat Standard 8.1.1
• Avaya Interactive Response 2.0
• Avaya Interactive Response 3.0
• Gentoo Linux
• Gentoo Linux 2007.0
• Nortel Networks Media Processing Svr 100
• Nortel Networks Media Processing Svr 1000 Rel 3.0
• Nortel Networks Media Processing Svr 500 Rel 3.0
• Nortel Networks Peri Application
• Nortel Networks Self-Service
• Nortel Networks Self-Service - Peri Application Rel 3.0
• Nortel Networks Self-Service MPS 1000
• Nortel Networks Self-Service MPS 500
• Nortel Networks Self-Service Media Processing Server
• Nortel Networks Self-Service Speech Server
• RedHat Enterprise Linux Desktop Supplementary 5 client
• RedHat Enterprise Linux Extras 3
• RedHat Enterprise Linux Extras 4
• RedHat Enterprise Linux Supplementary 5 server
• S.u.S.E. Linux Personal 10.1
• S.u.S.E. Linux Professional 10.1
• S.u.S.E. SLE SDK 10.SP1
• S.u.S.E. SUSE Linux Enterprise Desktop 10 SP1
• S.u.S.E. SUSE Linux Enterprise Server 10 SP1
• S.u.S.E. openSUSE 10.2
• S.u.S.E. openSUSE 10.3
• Sun Solaris 10

References:

• Adobe: APSA08-01 Security update available for Adobe Reader and Acrobat 8
• Adobe: APSB08-13 Security Updates available for Adobe Reader and Acrobat 7 and 8
• Adobe: Adobe Reader 8 Homepage
• Adobe: Adobe Reader 8.1.2 Release Notes
• Adobe: Adobe Reader Download Page
• Avaya: ASA-2008-281 Multiple Security Vulnerabilities in the Adobe Reader may lead to E
• Nortel Networks: Nortel Response to Adobe Reader Vulnerabilities (APSA08-01)
• Nortel Networks: Nortel response to Adobe Advisory APSB08-13
• Red Hat: RHSA-2008:0144-5 acroread security update
• Security-Assessment.com: Malformed .joboptions File Effecting Adobe Acrobat Distiller v8
• Sun Microsystems: Solution 239286: Multiple Security Vulnerabilities in the Adobe Reader may lead
• US-CERT: Technical Cyber Security Alert TA08-043A
• US-CERT: Vulnerability Note VU#140129 Adobe Reader EScript.api arbitrary code execution
• US-CERT: Vulnerability Note VU#666281 Adobe JavaScript methods buffer overflow vulnerabil
• ZDI: ZDI-08-004 Adobe Acrobat Javascript for PDF Integer Overflow Vulnerability
• iDefense: Adobe Reader Security Provider Unsafe Libary Path Vulnerability
• iDefense: Adobe Reader and Acrobat JavaScript Insecure Method Exposure Vulnerability
• iDefense: Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities
• pablo.sole@immunityinc.com: Attacking Embedded Languages

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.