About Us | Contact Us

 


 

VUPEN Free Resources
 
  VUPEN Security Advisories
 
  VUPEN Security Blog & News
  Zero-day Attacks Monitor
  Daily Security Mailinglist
  Explanation of Terms
  Advanced Search Engine
 
   

Adobe Acrobat and Reader JBIG2 Handling Code Execution Vulnerabilities

VUPEN ID VUPEN/ADV-2009-0472
CVE ID CVE-2009-0193 - CVE-2009-0658 - CVE-2009-0928 - CVE-2009-1061 - CVE-2009-1062
 
CWE ID Available in VUPEN VNS Customer Area
CVSS V2 Available in VUPEN VNS Customer Area
Rated as Critical 
Impact Available in VUPEN VNS Customer Area
Authentication Level Available in VUPEN VNS Customer Area
Access Vector Available in VUPEN VNS Customer Area
Release Date 2009-02-20
Share Twitter LinkedIn Facebook Delicious Digg Slashdot

Technical Description

Multiple vulnerability have been identified in Adobe Acrobat and Reader, which could be exploited by attackers to compromise a vulnerable system. These issues are caused by array indexing and input validation errors when processing malformed JBIG2 data within a PDF document, which could allow attackers to cause a vulnerable application to crash or execute arbitrary code by tricking a user into opening a specially crafted PDF file.

Note: One of the vulnerabilities is being exploited in the wild.

Affected Products

Adobe Reader versions 9.x
Adobe Reader versions 8.x
Adobe Reader versions 7.x
Adobe Acrobat Standard versions 9.x
Adobe Acrobat Standard versions 8.x
Adobe Acrobat Standard versions 7.x
Adobe Acrobat Pro versions 9.x
Adobe Acrobat Pro versions 8.x
Adobe Acrobat Pro versions 7.x
Adobe Acrobat Pro Extended versions 9.x

Solution 

Upgrade to Adobe Reader or Acrobat version 9.1, 8.1.4 or 7.1.1 :
http://www.adobe.com/support/security/bulletins/apsb09-04.html

References

http://www.vupen.com/english/advisories/2009/0472
http://www.adobe.com/support/security/advisories/apsa09-01.html
http://www.adobe.com/support/security/bulletins/apsb09-03.html
http://www.adobe.com/support/security/bulletins/apsb09-04.html

In-depth Binary Analysis 

Available in customer area as part of VUPEN Binary Analysis & Exploits Service and VUPEN Vulnerability Notification Service Ultimate Feed Edition.
 
Private Exploit or PoC 

Available in customer area as part of VUPEN Binary Analysis & Exploits Service and VUPEN Vulnerability Notification Service Ultimate Feed Edition.
 
Credits 

Vulnerabilities reported by the vendor, Sean Larsson (iDefense Labs), Jonathan Brossard (iViZ Security Research Team), Will Dormann (CERT/CC), and Alin Rad Pop (Secunia Research).

Changelog 

2009-02-20 : Initial release
2009-02-23 : Updated Description
2009-02-24 : Updated Solution
2009-03-10 : Updated Solution
2009-03-18 : Updated Solution
2009-03-24 : Updated Description

Feedback 

If you have additional information or corrections for this security advisory please submit them via our contact form.
 

Monthly Statistics 

 

 VUPEN Security Advisories By Criticality: Aug 2010


  Critical Risk

 : 0%

  High Risk		 : 0%

  Moderate Risk		 : 0%

  Low Risk		 : 100%

Get a real-time view of the vulnerabilities affecting your systems using the VUPEN VNS reporting capabilities.
 
 

Try VUPEN VNS 

 

 





© 2004-2010 VUPEN Security - Copyright - Privacy Policy