This week in PDF: Adobe warns of critical” bugs in Acrobat and Reader”

The big news this week in PDF is being made by several security vulnerabilities affecting Acrobat and Adobe Reader that could be used to hijack a user’s system. Planet PDF talks about the nature of the vulnerabilities and their current status.

First discovered in late-September by French Security Incident Response Team (FrSIRT), the bugs affect Adobe Reader, Acrobats Standard and Professional versions 7.0.0 through 7.0.8. According to FrSIRT’s security advisory, attackers could exploit them to completely take over an affected system. Specifically, the flaws are caused by memory corruption errors in the AcroPDF ActiveX control (AcroPDF.dll), which does not properly handle malformed arguments passed to the ‘setPageMode()’, ‘setLayoutMode()’, ‘setNamedDest()’, and ‘LoadFile()’ methods. This allows remote attackers to execute arbitrary commands by tricking users into visiting specially-crafted Web pages using Internet Explorer.

Both Adobe and FrSIRT have listed the error as ‘critical’, while Secunia’s advisory is more optimistic, presumably because Adobe has already provided a workaround fix. According to Adobe’s own advisory:

The upcoming version of Adobe Reader, which will not be vulnerable to this issue, is also expected to be available in the near future. Acrobat 8 is not affected by this issue. The vulnerability is in an ActiveX control used by Internet Explorer; users of other browsers are not affected. The following workaround will prevent these vulnerabilities from occurring in Adobe Reader 7.0.X on Windows using Internet Explorer:

  1. Exit Internet Explorer and Adobe Reader.
  2. Browse to <volume>:Program FilesAdobeAcrobat 7.0ActiveX.

    Note: If you did not install Acrobat to the default location, browse to the location of your Acrobat 7.0 folder.

  3. Select AcroPDF.dll and delete it.

NOTE: This workaround will prevent PDF documents from opening within an Internet Explorer window. After applying this workaround, clicking on PDF files within Internet Explorer will either open in a separate instance of Adobe Reader or the user will be prompted to download the file, which can then be opened in Adobe Reader. This workaround may disrupt some enterprise workflows and use of PDF forms.

To plug the hole without deleting the entire .dll file, FrSIRT claims that it is sufficient to merely set a ‘kill bit’ for the CLSID {CA8A9780-280D-11CF-A24D-444553540000}. In any case, a bulletin will be posted when Adobe’s formal ‘bugfix’ patch becomes available.

You May Also Like

About the Author: Dan Shea

Leave a Reply