Executive Summary
Summary | |
---|---|
Title | Adobe Reader and Acrobat JBIG2 buffer overflow vulnerability |
Informations | |||
---|---|---|---|
Name | VU#905281 | First vendor Publication | 2009-02-20 |
Vendor | VU-CERT | Last vendor Modification | 2009-03-18 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#905281Adobe Reader and Acrobat JBIG2 buffer overflow vulnerabilityOverviewAdobe Reader and Acrobat contain a buffer overflow vulnerability that may allow an attacker to execute arbitrary code.I. DescriptionAdobe Acrobat Reader is software designed to view Portable Document Format (PDF) files. Adobe also distributes the Adobe Acrobat Plug-In to allow users to view PDF files inside of a web browser. Adobe Reader and Acrobat contain a buffer overflow vulnerability in the handling of JBIG2 streams.Exploit code for this vulnerability is publicly available. This issue is addressed in Adobe Reader and Acrobat versions 9.1, 8.1.4, and 7.1.1. More details are available in Adobe Security Bulletin APSB09-03 and APSB09-04.
[HKEY_CLASSES_ROOTAcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Preventing PDF documents from opening inside a web browser may mitigate this vulnerability. If this workaround is applied to updated versions of the Adobe reader, it may mitigate future vulnerabilities. To prevent PDF documents from automatically being opened in a web browser:
Adobe Acrobat and Reader integrates itself with the Windows shell. The file pdfshell.dll is used to configure Windows Explorer to launch Adobe components to render, preview, and obtain details from a PDF document, all without actually opening the PDF document itself. Windows Shell integration for Adobe Acrobat and Reader can be disabled by unregistering the pdfshell.dll by running the following command:
Adobe Reader and Adobe Acrobat install an Indexing Service filter that is used to parse PDF files. These filters are provided by AcroRdIF.dll and AcroIF.dll, respectively. When an application that uses the Adobe IFilters indexes a malicious PDF document, the vulnerability may be triggered. This attack vector can be mitigated by unregistering the Adobe IFilter files. Adobe Acrobat users should locate the Acrobat directory and run: regsvr32 /u AcroIF.dll Adobe Reader users should locate the Adobe Reader directory and run: regsvr32 /u AcroRdIF.dll Note: After disabling the Windows shell integration or the Indexing Service filter by unregistering the appropriate DLL, the Windows Installer MSI resiliency feature may trigger a "repair" of those features when an advertised shortcut for Adobe Reader is clicked. To prevent this from occurring, delete the Adobe Reader icon from the Windows start menu and then re-create a normal, non-advertised shortcut. More details are available in the CERT/CC Vulnerability Analysis Blog. Do not access PDF documents from untrusted sources Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010. Systems Affected
Referenceshttp://www.us-cert.gov/cas/tips/ST04-010.html Thanks to Adobe for information that was used in this report. This document was written by Will Dormann and Ryan Giobbi.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/905281 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:5697 | |||
Oval ID: | oval:org.mitre.oval:def:5697 | ||
Title: | Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier (APSA09-01) | ||
Description: | Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document, related to a non-JavaScript function call and possibly an embedded JBIG2 image stream, as exploited in the wild in February 2009 by Trojan.Pidief.E. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-0658 | Version: | 9 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 | Product(s): | Adobe Acrobat Adobe Reader |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
SAINT Exploits
Description | Link |
---|---|
Adobe Reader JBIG2 image stream buffer overflow | More info here |
OpenVAS Exploits
Date | Description |
---|---|
2009-04-28 | Name : SuSE Security Summary SUSE-SR:2009:009 File : nvt/suse_sr_2009_009.nasl |
2009-04-20 | Name : Gentoo Security Advisory GLSA 200904-17 (acroread) File : nvt/glsa_200904_17.nasl |
2009-03-31 | Name : RedHat Security Advisory RHSA-2009:0376 File : nvt/RHSA_2009_0376.nasl |
2009-03-31 | Name : SuSE Security Advisory SUSE-SA:2009:014 (acroread) File : nvt/suse_sa_2009_014.nasl |
2009-03-03 | Name : Buffer Overflow Vulnerability in Adobe Reader (Linux) File : nvt/secpod_adobe_prdts_bof_vuln_lin.nasl |
2009-03-03 | Name : Buffer Overflow Vulnerability in Adobe Acrobat and Reader (Win) File : nvt/secpod_adobe_prdts_bof_vuln_win.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
52073 | Adobe Reader / Acrobat Document Handling JBIG2 Compression Overflow A buffer overflow exists in Acrobat and Acrobat Reader. They fail to validate PDF files which use JBIG2 compression routines resulting in a buffer overflow. With a specially crafted file, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity. |
Snort® IPS/IDS
Date | Description |
---|---|
2015-01-15 | Adobe Acrobat Reader PDF JBIG2 remote code execution attempt RuleID : 32786 - Revision : 2 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader PDF JBIG2 remote code execution attempt RuleID : 24124 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader PDF JBIG2 remote code execution attempt RuleID : 20575 - Revision : 13 - Type : FILE-PDF |
2014-01-10 | Suspicious JBIG2 pdf file sent with email RuleID : 15497 - Revision : 7 - Type : FILE-PDF |
2014-01-10 | Suspicious JBIG2 pdf file sent through email RuleID : 15496 - Revision : 7 - Type : FILE-PDF |
2014-01-10 | Suspicious JBIG2 pdf file sent by email RuleID : 15495 - Revision : 7 - Type : FILE-PDF |
2014-01-10 | Suspicious JBIG2 pdf file sent from email RuleID : 15494 - Revision : 7 - Type : FILE-PDF |
2014-01-10 | Suspicious JBIG2 pdf file sent in email RuleID : 15360 - Revision : 8 - Type : FILE-PDF |
2014-01-10 | Suspicious JBIG2 pdf file sent via email RuleID : 15359 - Revision : 8 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader JBIG2 remote code execution attempt RuleID : 15358 - Revision : 11 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader JBIG2 remote code execution attempt RuleID : 15357 - Revision : 14 - Type : FILE-PDF |
2014-01-10 | Adobe PDF JBIG2 remote code execution attempt RuleID : 15356 - Revision : 4 - Type : SMTP |
2014-01-10 | Adobe PDF JBIG2 remote code execution attempt RuleID : 15355 - Revision : 4 - Type : WEB-CLIENT |
2014-01-10 | Adobe PDF JBIG2 remote code execution attempt RuleID : 15354 - Revision : 4 - Type : SMTP |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_acroread-6121.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_acroread_ja-6161.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_acroread-090325.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_acroread_ja-090415.nasl - Type : ACT_GATHER_INFO |
2009-08-28 | Name : The version of Adobe Acrobat on the remote Windows host is affected by multip... File : adobe_acrobat_91.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0376.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_acroread-090325.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_acroread-090325.nasl - Type : ACT_GATHER_INFO |
2009-04-21 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200904-17.nasl - Type : ACT_GATHER_INFO |
2009-03-27 | Name : The remote openSUSE host is missing a security update. File : suse_acroread-6120.nasl - Type : ACT_GATHER_INFO |
2009-03-11 | Name : The PDF file viewer on the remote Windows host is affected by multiple vulner... File : adobe_reader_91.nasl - Type : ACT_GATHER_INFO |