|
|
>> Adobe Reader and Acrobat Multiple Code Execution Vulnerabilities
|
Multiple vulnerabilities have been idenitified in Adobe Reader and Acrobat, which could be exploited by attackers to cause a denial of service, manipulate certain data, gain elevated privileges, or compromise a vulnerable system.
The first issue is caused by a memory corruption error when passing an overly long argument to an AcroJS function, which could be exploited to crash an affected application or execute arbitrary code.
The second vulnerability is caused by an error when processing Type 1 fonts, which could be exploited to crash an affected application or execute arbitrary code via a malicious document.
The third issue is caused by a stack overflow error in the getPlus Download Manager when processing malformed data, which could be exploited to execute arbitrary code via a malicious web page.
The fourth vulnerability is caused by a stack overflow error when processing data passed to the Javascript "util.printf()" function, which could be exploited to crash an affected application or execute arbitrary code.
The fifth issue is caused by a memory corruption error when parsing certain PDF objects, which could be exploited to crash an affected application or execute arbitrary code.
The sixth vulnerability is caused by a memory corruption error when creating a Collab object and performing a specific sequence of actions on it, which could be exploited to crash an affected application or execute arbitrary code via a malicious document.
The seventh issue is caused by an unspecified error in the Download Manager, which could lead to a user's Internet Security options being changed during the download process.
The eighth vulnerability is caused by an unspecified input validation error in a JavaScript method, which could lead to remote code execution.
The ninth issue is caused by an unspecified Unix-only privilege escalation error.
The tenth weakness is caused by an error when processing malformed PDF data, which could be exploited to cause a denial of service.
Affected Products
Adobe Reader version 8.1.2 and prior
Adobe Acrobat Professional version 8.1.2 and prior
Adobe Acrobat 3D version 8.1.2 and prior
Adobe Acrobat Standard version 8.1.2 and prior
Solution
Upgrade to version 8.1.3 or 9 :
http://www.adobe.com/go/getreader
References
http://www.vupen.com/english/advisories/2008/3001
http://www.adobe.com/support/security/bulletins/apsb08-19.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=756
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=755
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=754
http://secunia.com/secunia_research/2008-14/
http://www.coresecurity.com/content/adobe-reader-buffer-overflow
http://www.kb.cert.org/vuls/id/593409
http://www.zerodayinitiative.com/advisories/ZDI-08-074/
http://www.zerodayinitiative.com/advisories/ZDI-08-073/
http://www.zerodayinitiative.com/advisories/ZDI-08-072/
Credits
Vulnerabilities reported by Greg MacManus, iDefense Labs, Peter Vreugdenhil, ZDI, Dyon Balding (Secunia Research), Damian Frizza (Core Security Technologies), Will Dormann (CERT/CC), Greg MacManus (iSIGHT Partners Labs), Javier Vicente Vallejo, Thomas Garnier (SkyRecon Systems), and Josh Bressers (Red Hat).
ChangeLog
2008-11-05 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
