MA-148.022009: MyCERT Special Alert - Vulnerability in 9.0 and earlier of Adobe Reader and Acrobat (APSA09-01)

1.0 Introduction

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited. MyCERT received reports from various organizations and security researcher groups mentioned that the exploits are have been used in the wild.

For this time of writing, Adobe has not yet released any patch for the vulnerability. Adobe will release the patch soon and expected the date will be on March 11th, 2009 for Adobe Reader version 9. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow. In the meantime, Adobe is in contact with anti-virus vendors on this issue to rectify the problems.

For this time of writing, MyCERT is aware about the availability exploits for this vulnerability but with limited distribution. There are not yet publicly available for the exploit.

Adobe rates the vulnerability as 'critical'. MyCERT urged public not to open any unknown source of pdf files since the update for this vulnerability is not yet available.

2.0 Impact

By exploiting this vulnerability, an attacker could execute arbitrary commands on the user's computer. The attacker will have the same privilege as the user.

MyCERT has done some analysis based on exploits available on the limited sample distribution and can confirm this observation. The exploitation is relying on javascript engine in Adobe Reader to get executed.

3.0 Affected Products

Majority of Adobe Acrobat Reader software are vulnerable by this bug. Below is the details list of vulnerable version:

• Adobe Acrobat Standard all version (Current Version is 9)
• Adobe Acrobat Reader all version (Current Version is 9)

For details of each vulnerable version and software for Adobe Acrobat, please visit link [5]. The impact for each environment is critical and allows code executions in the user contact.

4.0 Recommendation

Since the patch is not yet available for public, MyCERT would recommend public to turn off (disable) javascript function inside Adobe Acrobat Reader. Please follow steps below to disable javascript:

1.Open Your Adobe Reader software

2.Navigate to Edit -> Preferences -> JavaScript

3.Select 'uncheck' for javascript enable.

4.Close the Adobe Reader Software for change to take affect.

MyCERT is aware about unofficial patch provided by Sourcefire. The patch hasn't been tested fully for all version of Adobe Reader software. Please apply the patch at your own risk. Please download the patch from this link http://www.snort.org/vrt/tools/AcroRdv9-Patch.zip. Sourcefire is the company who produce snort IDS so the link for the download is hosted at snort's website. The patch is only for version 9 only. Please upgrade to the latest version before applying this patch.

5.0 References

• http://www.adobe.com/support/security/advisories/apsa09-01.html
• http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
• http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221
• http://vrt-sourcefire.blogspot.com/2009/02/homebrew-patch-for-adobe-acroreader-9.html
• http://www.securityfocus.com/bid/33751