Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2013

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2010

MA-249.092010 : MyCERT Alert - Multiple Critical Vulnerabilities in Adobe Acrobat and Reader

Date of publication: 2010-09-09

1.0 Introduction

A critical vulnerability (CVE-2010-2883) has been identified in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. [1]

This issue is caused by a buffer overflow error in the "CoolType.dll" module when processing a PDF document containing malformed SING (Smart INdependent Glyphlets) fonts, which could be exploited by attackers to crash an affected application or execute arbitrary code by tricking a user into opening a specially crafted PDF document. [2]

MyCERT is aware that a '0-day' exploit is being available in the wild and actively being used by the attacker.

2.0 Impact

An attacker who successfully exploits these vulnerabilities will be able to execute codes remotely and gain the same privilege as the user. Unsuccessful attacks may cause denial-of-service (DoS) outcomes.

3.0 Affected Products

Majority of the Adobe Acrobat and Adobe Reader versions are prone to this vulnerability. Below is the list of vulnerable products:

Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh

4.0 Recommendation

At the time of this writing, Adobe has not released any patches to address this vulnerability.

4.1 Even tough this issue doesn't require JavaScript to be enabled in order to trigger this vulnerability, samples from the exploit in the wild show that JavaScript is used to obfuscate the exploit code. Therefore, users are recommended to disable the JavaScript support for Adobe Reader and Adobe Acrobat. [3] JavaScript can be disabled by doing the followings:
a) Disable JavaScript in Adobe Acrobat and Adobe Reader
1. Open Your Adobe Acrobat or Adobe Reader software
2. Navigate to Edit -> Preferences -> JavaScript
3. Select 'uncheck' the Enable Acrobat JavaScript.
Close the Adobe Acrobat or Adobe Reader Software for change to take effect.

Users are also recommended to browse the Internet with least privilege user to limit the execution of the malicious file and do not open attachment or browse to unknown website received via email from unknown person or unexpected.

MyCERT advises users of the products mentioned in this advisory to keep themselves updated with the latest security announcements from the products' vendor. MyCERT can be reached through the following channels:

E-mail : mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

i. http://www.adobe.com/support/security/advisories/apsa10-02.html
ii. http://www.vupen.com/english/advisories/2010/2331
iii. http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html