Technical Description

Two vulnerabilities were identified in Adobe Acrobat and Adobe Reader for MacOS, which could be exploited by attackers to perform certain tasks on a vulnerable system.

- The first flaw is due to an input validation error when processing JavaScript tags embedded in PDF files, which could be exploited by attackers to launch arbitrary executables on a local machine via a specially crafted PDF document. Exploitation requires that the attacker knows the exact location of the executable.

- The second issue is due to an error in the updater for Acrobat and Adobe Reader which insecurely elevates Safari Frameworks folder permissions for all users when updates are downloaded. This could be exploited by attackers to add their own frameworks.

Affected Products

Adobe Reader version 7.0 (Macintosh)
Adobe Reader version 7.0.1 (Macintosh)
Adobe Acrobat version 7.0 (Macintosh)
Adobe Acrobat version 7.0.1 (Macintosh)

Solution

Upgrade to Adobe Reader / Acrobat version 7.0.2 :
http://www.adobe.com/support/downloads/

References

http://www.vupen.com/english/advisories/2005/0893
http://www.adobe.com/support/techdocs/331709.html
http://www.adobe.com/support/techdocs/331711.html

Credits

Vulnerabilities reported by Aandi Inston and John C. Welch

ChangeLog

2005-06-27 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.