MA-152.032009: MyCERT Special Alert - Adobe Reader and Acrobat JBIG2 Encoded Stream Heap Overflow Vulnerability

1.0 Introduction

A critical vulnerability has been identified in Adobe Reader 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited. MyCERT received reports from various organizations and security researcher groups mentioned that the exploits are have been used in the wild.

The vulnerability occurs when parsing a JBIG2-encoded stream inside of a PDF file. JBIG2 is an image encoding format that is primarily used for encoding monochrome images such as faxes.

2.0 Impact

By exploiting this vulnerability, an attacker could execute arbitrary commands on the user's computer. The attacker will have the same privilege as the user.

3.0 Affected Products

Majority of Adobe Acrobat Reader software are vulnerable by this bug. Below is the details list of vulnerable version:

• Adobe Reader 9 and earlier versions
• Adobe Acrobat 9 Standard, Pro, and Pro Extended and earlier versions

4.0 Recommendation

• Upgrade to Adobe Reader 9.1. It can be downloaded from this URL : http://get.adobe.com/reader/
• If user is not able to upgrade the Adobe Reader, it is advisable to do the followings:
• Open PDF files with least privilege to limit the execution of the malicious file.
• Do not open attachment received via email from unknown person or unexpected.

5.0 References

• http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=776
• http://www.adobe.com/support/security/bulletins/apsb09-04.html
• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0928