MA-153.032009: MyCERT Special Alert - Adobe Acrobat getIcon() Stack Overflow Vulnerability

1.0 Introduction

A critical vulnerability has been identified in Adobe Reader 9 and earlier versions. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat and Adobe Reader. User interaction is required in that a user must visit a malicious web site or open a malicious PDF file.

The specific flaw exists when processing malicious JavaScript contained in a PDF document. The getIcon() function for Collab object is suffered from stack buffer overflow bug when parsing any crafted input. If successfully exploited, full control of the affected machine running under the credentials of the currently logged in user can be achieved.

2.0 Impact

By exploiting this vulnerability, an attacker could execute arbitrary code on vulnerable installations of Adobe Acrobat and Adobe Reader and gain the same privilege as the user. The attack can be lunched via local or remote by abusing Adobe Acrobat web browser plugin.

3.0 Affected Products

Majority of Adobe Acrobat Reader software are vulnerable by this bug. Below is the details list of vulnerable version:

• Adobe Reader 9 and earlier versions
• Adobe Acrobat 9 Standard, Pro, and Pro Extended and earlier versions

4.0 Recommendation

• Upgrade to Adobe Reader 9.1. It can be downloaded from this URL : http://get.adobe.com/reader/
• If user is not able to upgrade the Adobe Reader, it is advisable to do the followings:
• Using alternatives software for Adobe Reader.
• Do not open attachment received via email from unknown person or unexpected.

5.0 References

• http://www.adobe.com/support/security/bulletins/apsb09-04.html
• http://www.zerodayinitiative.com/advisories/ZDI-09-014/
• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927