Adobe Reader/Acrobat Multiple Vulnerabilities

Secunia ID	SA28802
CVE-ID	CVE-2007-5659, CVE-2007-5663, CVE-2007-5666, CVE-2008-0655, CVE-2008-0667, CVE-2008-0726
Release Date	06 Feb 2008
Last Change	15 May 2008
Solution Status	Vendor Patch
Software	Adobe Acrobat 3D Adobe Acrobat 8 Professional Adobe Acrobat 8.x Adobe Reader 8.x
Where	From remote "From remote" describes other vulnerabilities where the attack vector doesn't require access to the system or a local network. This category covers services that are acceptable to expose to the Internet (e.g. HTTP, HTTPS, SMTP). It also covers client applications used on the Internet and certain vulnerabilities where it is reasonable to assume that a security conscious user can be tricked into performing certain actions.
Impact	DoS (Denial of Service) This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system. System access This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.
Description	Some vulnerabilities have been reported in Adobe Reader/Acrobat, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. 1) Multiple boundary errors in several unspecified JavaScript methods can be exploited to cause stack-based buffer overflows via a specially crafted .PDF file. Successful exploitation allows execution of arbitrary code. NOTE: The vulnerability is reportedly being exploited in the wild. 2) An unspecified insecure JavaScript method in EScript.api can be exploited to execute arbitrary code via a specially crafted .PDF file. 3) An error in the loading of "Security Provider" libraries can be exploited to execute arbitrary code by e.g. tricking a user into opening a .PDF file in a directory that contains a malicious library with the same filename as a "Security Provider" library. 4) The insecure JavaScript method "DOC.print()" can be exploited to silently print a specially crafted PDF file. 5) An integer overflow in the "printSepsWithParams()" JavaScript method can be exploited to cause a memory corruption via a specially crafted .PDF file. Successful exploitation allows execution of arbitrary code. 6) Two boundary errors within Acrobat Distiller can be exploited to cause heap-based buffer overflows via specially crafted .joboptions files containing overly long (greater than 160 characters) font names within the "/AlwaysEmbed" and "/NeverEmbed" parameters. Successful exploitation allows execution of arbitrary code. The vulnerabilities affect the following versions: * Adobe Reader 8.1.1 and earlier * Adobe Acrobat Professional, 3D and Standard 8.1.1 and earlier
Solution	Update to version 8.1.2. Adobe Reader 8: http://www.adobe.com/go/getreader Acrobat 8 on Windows: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3849 Acrobat 8 on Macintosh: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3856 Acrobat 3D 8 on Windows: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3850
Reported by	1-3) Greg MacManus of iDefense Labs 4) cocoruder of Fortinet Security Research Team 5) An anonymous researcher, reported via ZDI 6) Paul Craig of Security-Assessment.com The vendor also credits: * Tavis Ormandy and Will Drewry of the Google Security Team
Original Advisory	Adobe APSA08-01: http://www.adobe.com/support/security/advisories/apsa08-01.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=657 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=656 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=655 Fortinet: http://www.fortiguardcenter.com/advisory/FGA-2008-04.html ZDI: http://www.zerodayinitiative.com/advisories/ZDI-08-004.html Security-Assessment.com: http://www.security-assessment.com/files/advisories/2008-05-15_Acrobat_Distiller_Malformed_joboptions_File.pdf