Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Adobe Reader and Acrobat Vulnerabilities
Informations
Name TA10-013A First vendor Publication 2010-01-13
Vendor US-CERT Last vendor Modification 2010-01-13
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Adobe has released Security bulletin APSB10-02, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat.

I. Description

Adobe Security Advisory APSB10-02 describes a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Reader 9.2 and earlier 9.x versions and
8.1.7 and earlier 8.x versions. Further details are available in the US-CERT Vulnerability Notes Database.

An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in is available for multiple web browsers and operating systems, which can automatically open PDF documents hosted on a website.

Some of these vulnerabilities are being actively exploited.

II. Impact

These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF document.

III. Solution

Update

Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB10-02 and update vulnerable versions of Adobe Reader and Acrobat.

Disable JavaScript in Adobe Reader and Acrobat

Disabling JavaScript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript; un-check Enable Acrobat JavaScript).

Prevent Internet Explorer from automatically opening PDF documents

The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00

Disable the display of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied it may also mitigate future vulnerabilities.

To prevent PDF documents from automatically being opened in a web browser, do the following:

1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.

Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010.

Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA10-013A.html

CWE : Common Weakness Enumeration

% Id Name
14 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)
14 % CWE-416 Use After Free
14 % CWE-399 Resource Management Errors
14 % CWE-189 Numeric Errors (CWE/SANS Top 25)
14 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
14 % CWE-94 Failure to Control Generation of Code ('Code Injection')
14 % CWE-16 Configuration

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:21374
 
Oval ID: oval:org.mitre.oval:def:21374
Title: RHSA-2010:0037: acroread security and bug fix update (Critical)
Description: Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.
Family: unix Class: patch
Reference(s): RHSA-2010:0037-01
CVE-2009-3953
CVE-2009-3954
CVE-2009-3955
CVE-2009-3956
CVE-2009-3959
CVE-2009-4324
 Version: 81
Platform(s): Red Hat Enterprise Linux 5
 Product(s): acroread
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22917
 
Oval ID: oval:org.mitre.oval:def:22917
Title: ELSA-2010:0037: acroread security and bug fix update (Critical)
Description: Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.
Family: unix Class: patch
Reference(s): ELSA-2010:0037-01
CVE-2009-3953
CVE-2009-3954
CVE-2009-3955
CVE-2009-3956
CVE-2009-3959
CVE-2009-4324
 Version: 29
Platform(s): Oracle Linux 5
 Product(s): acroread
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6795
 
Oval ID: oval:org.mitre.oval:def:6795
Title: Adobe Reader and Acrobat Unspecified Code Execution Vulnerability
Description: Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.
Family: windows Class: vulnerability
Reference(s): CVE-2009-4324
 Version: 16
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows 7
 Product(s): Adobe Reader
Adobe Acrobat
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7975
 
Oval ID: oval:org.mitre.oval:def:7975
Title: Adobe Reader and Acrobat Null Pointer Dereference Denial of Service Vulnerability
Description: Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, might allow attackers to cause a denial of service (NULL pointer dereference) via unspecified vectors.
Family: windows Class: vulnerability
Reference(s): CVE-2009-3957
 Version: 16
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows 7
 Product(s): Adobe Reader
Adobe Acrobat
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8242
 
Oval ID: oval:org.mitre.oval:def:8242
Title: Adobe Reader and Acrobat U3D Remote Code Execution Vulnerability
Description: The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4 allows remote attackers to execute arbitrary code via malformed U3D data in a PDF document, related to a CLODProgressiveMeshDeclaration "array boundary issue," a different vulnerability than CVE-2009-2994.
Family: windows Class: vulnerability
Reference(s): CVE-2009-3953
 Version: 16
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows 7
 Product(s): Adobe Reader
Adobe Acrobat
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8255
 
Oval ID: oval:org.mitre.oval:def:8255
Title: Adobe Reader and Acrobat JpxDecode Memory Corruption Vulnerability
Description: Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted JPC_MS_RGN marker in the Jp2c stream of a JpxDecode encoded data stream, which triggers an integer sign extension that bypasses a sanity check, leading to memory corruption.
Family: windows Class: vulnerability
Reference(s): CVE-2009-3955
 Version: 16
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows 7
 Product(s): Adobe Reader
Adobe Acrobat
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8327
 
Oval ID: oval:org.mitre.oval:def:8327
Title: Adobe Reader and Acrobat Remote Security Bypass Vulnerability
Description: The default configuration of Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, does not enable the Enhanced Security feature, which has unspecified impact and attack vectors, related to a "script injection vulnerability," as demonstrated by Acrobat Forms Data Format (FDF) behavior that allows cross-site scripting (XSS) by user-assisted remote attackers.
Family: windows Class: vulnerability
Reference(s): CVE-2009-3956
 Version: 16
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows 7
 Product(s): Adobe Reader
Adobe Acrobat
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8455
 
Oval ID: oval:org.mitre.oval:def:8455
Title: Adobe Reader and Acrobat Download Manager Remote Code Execution Vulnerability
Description: Multiple stack-based buffer overflows in the NOS Microsystems getPlus Helper ActiveX control before 1.6.2.49 in gp.ocx in the Download Manager in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, might allow remote attackers to execute arbitrary code via unspecified initialization parameters.
Family: windows Class: vulnerability
Reference(s): CVE-2009-3958
 Version: 16
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows 7
 Product(s): Adobe Reader
Adobe Acrobat
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8528
 
Oval ID: oval:org.mitre.oval:def:8528
Title: Adobe Reader and Acrobat DLL Loading in 3D Remote Code Execution Vulnerability
Description: The 3D implementation in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, might allow attackers to execute arbitrary code via unspecified vectors, related to a "DLL-loading vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-3954
 Version: 16
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows 7
 Product(s): Adobe Reader
Adobe Acrobat
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8539
 
Oval ID: oval:org.mitre.oval:def:8539
Title: Adobe Reader and Acrobat U3D Support Remote Code Execution Vulnerability
Description: Integer overflow in the U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a malformed PDF document.
Family: windows Class: vulnerability
Reference(s): CVE-2009-3959
 Version: 16
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows 7
 Product(s): Adobe Reader
Adobe Acrobat
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 130
Application 84

SAINT Exploits

Description Link
Adobe Reader media.newPlayer Use-After-Free Code Execution More info here

ExploitDB Exploits

id Description
2009-12-23 Adobe Reader and Acrobat (CVE-2009-4324) Exploit

OpenVAS Exploits

Date Description
2011-03-09 Name : Gentoo Security Advisory GLSA 201009-05 (acroread)
File : nvt/glsa_201009_05.nasl
2010-01-29 Name : SuSE Update for acroread SUSE-SA:2010:008
File : nvt/gb_suse_2010_008.nasl
2010-01-16 Name : Adobe Reader/Acrobat Multiple Vulnerabilities - Jan10 (Win)
File : nvt/gb_adobe_prdts_mult_vuln_jan10_win.nasl
2010-01-16 Name : Adobe Reader Multiple Vulnerabilities -jan10 (Linux)
File : nvt/gb_adobe_reader_mult_vuln_jan10_lin.nasl
2009-12-21 Name : Adobe Reader Multimeda Doc.media.newPlayer Code Execution Vulnerability (Linux)
File : nvt/gb_adobe_prdts_media_obj_remote_code_exec_vuln_dec09_lin.nasl
2009-12-21 Name : Adobe Reader/Acrobat Multimedia Doc.media.newPlayer Code Execution Vulnerabil...
File : nvt/gb_adobe_prdts_media_obj_remote_code_exec_vuln_dec09_win.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
61695 Adobe Reader / Acrobat U3D Implementation Unspecified Overflow
61694 Adobe Reader / Acrobat Unspecified NULL Dereference DoS
61693 Adobe Reader / Acrobat Enhanced Security Feature Default Configuration Modifi...
61692 Adobe Reader / Acrobat PDF JpxDecode Encoded Jp2c Stream Handling Memory Corr...
61691 Adobe Reader / Acrobat 3D Implementation DLL-loading Unspecified Arbitrary Co...
61690 Adobe Reader / Acrobat U3D Implementation Array Boundary Arbitrary Code Execu...
61688 Adobe getPlus DLM gp.ocx ActiveX Multiple Overflows
60980 Adobe Reader / Acrobat Doc.media.newPlayer Use-After-Free Arbitrary Code Exec...

Acrobat and Reader contain a flaw that may allow an attacker to execute arbitrary code. The issue is triggered by a use-after-free condition in Doc.media.newPlayer when parsing a specially crafted PDF file.

Snort® IPS/IDS

Date Description
2014-12-02 Adobe Acrobat Reader JpxDecode invalid crgn memory corruption attempt
RuleID : 32358 - Revision : 3 - Type : FILE-PDF
2014-11-16 Adobe Acrobat Reader U3D CLODMeshDeceleration code execution attempt
RuleID : 31555 - Revision : 4 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28743 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28742 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28741 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28740 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28739 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28738 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28737 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28736 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28735 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28734 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28733 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28732 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28731 - Revision : 6 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28730 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28729 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 28728 - Revision : 6 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader compressed media.newPlayer memory corruption attempt
RuleID : 28454 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 23506 - Revision : 5 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader compressed media.newPlayer memory corruption attempt
RuleID : 23505 - Revision : 6 - Type : FILE-PDF
2014-01-10 Phoenix exploit kit post-compromise behavior
RuleID : 21860 - Revision : 5 - Type : MALWARE-CNC
2014-01-10 Phoenix exploit kit landing page
RuleID : 21640 - Revision : 6 - Type : EXPLOIT-KIT
2014-01-10 Adobe Acrobat Reader U3D CLODMeshDeceleration code execution attempt
RuleID : 20429 - Revision : 12 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader script injection vulnerability
RuleID : 19118 - Revision : 15 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader malformed U3D integer overflow
RuleID : 19117 - Revision : 15 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader JpxDecode invalid crgn memory corruption attempt
RuleID : 18801 - Revision : 12 - Type : FILE-PDF
2014-01-10 NOS Microsystems Adobe atl_getcom ActiveX clsid unicode access
RuleID : 16372 - Revision : 4 - Type : WEB-ACTIVEX
2014-01-10 NOS Microsystems Adobe atl_getcom ActiveX clsid access
RuleID : 16371 - Revision : 12 - Type : BROWSER-PLUGINS
2014-01-10 Adobe Reader JP2C Region Atom CompNum memory corruption attempt
RuleID : 16370 - Revision : 7 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader compressed media.newPlayer memory corruption attempt
RuleID : 16334 - Revision : 18 - Type : FILE-PDF
2014-01-10 Adobe Acrobat Reader media.newPlayer memory corruption attempt
RuleID : 16333 - Revision : 18 - Type : FILE-PDF

Nessus® Vulnerability Scanner

Date Description
2013-01-24 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0037.nasl - Type : ACT_GATHER_INFO
2013-01-24 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0038.nasl - Type : ACT_GATHER_INFO
2013-01-24 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2010-0060.nasl - Type : ACT_GATHER_INFO
2011-01-27 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_acroread-6802.nasl - Type : ACT_GATHER_INFO
2011-01-27 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_acroread-6803.nasl - Type : ACT_GATHER_INFO
2011-01-27 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_acroread_ja-6804.nasl - Type : ACT_GATHER_INFO
2011-01-27 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_acroread_ja-6805.nasl - Type : ACT_GATHER_INFO
2010-09-08 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201009-05.nasl - Type : ACT_GATHER_INFO
2010-02-02 Name : The remote SuSE 11 host is missing a security update.
File : suse_11_acroread_ja-100128.nasl - Type : ACT_GATHER_INFO
2010-01-25 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_acroread-100122.nasl - Type : ACT_GATHER_INFO
2010-01-25 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_acroread-100122.nasl - Type : ACT_GATHER_INFO
2010-01-25 Name : The remote openSUSE host is missing a security update.
File : suse_11_2_acroread-100122.nasl - Type : ACT_GATHER_INFO
2010-01-25 Name : The remote SuSE 11 host is missing a security update.
File : suse_11_acroread-100122.nasl - Type : ACT_GATHER_INFO
2010-01-13 Name : The version of Adobe Acrobat on the remote Windows host is affected by multip...
File : adobe_acrobat_apsb10-02.nasl - Type : ACT_GATHER_INFO
2010-01-13 Name : The PDF file viewer on the remote Windows host is affected by multiple vulner...
File : adobe_reader_apsb10-02.nasl - Type : ACT_GATHER_INFO