Adobe Systems yesterday reported its Reader contains a vulnerability that would allow an attacker to remotely execute malicious code. A security flaw in the dominant document-sharing software could allow hackers to seize control of a computer system.
Adobe Acrobat Reader is a program for viewing Portable Document Format (PDF) documents. Under special circumstances, if a malicious PDF file is opened using Adobe Reader, a stack buffer overflow could occur resulting in the execution of arbitrary code.
Security firm iDefense Labs discovered the vulnerability in Adobe Acrobat Reader versions 5.0.9 and 5.0.10 for Unix. Security firm Secunia has rated the vulnerability “highly critical.”
Michael Sutton, director of iDefense Labs’ vulnerability research department, told TechNewsWorld that vulnerabilities in commonly used file formats, such as PDFs, increase the severity of the potential impact because they are widely traded, trusted document types.
“There aren’t too many companies that would block PDFs at the firewall from coming into the organization because working with PDFs is a regular part of doing business,” Sutton said. “To some extent, there’s only so much you can block. If you block everything it sort of defeats the purpose of the Internet.”
Windows Safe and Sound
Specifically, the vulnerability is caused by a boundary error in “UnixAppOpenFilePerform()” when Acrobat Reader is opening a document containing a “/Filespec” tag. This can be exploited to execute arbitrary code with the privileges of the user running Acrobat Reader by tricking the user to open a specially crafted PDF document.
The impact of this vulnerability is lessened by the fact that two error messages appear before exploitation is successful, according to iDefense. However, closing these windows does not prevent exploitation from occurring. Sutton said it is also lessened by the fact that desktop users in more corporate environments use Microsoft clients than Unix or Linux.
An Emerging Trend
Several vulnerabilities have recently been reported on Adobe products, but none so far as severe. Sutton said he is beginning to see an emerging trend in file format vulnerabilities.
“When you look at this situation, attackers actually exploit this type of vulnerability by creating a PDF that’s somehow malformed,” he said. “So the flaw isn’t in the PDF file. It’s in the application that reads that file. In this case Adobe Reader.”
E-mail users are skeptical about opening executable files from senders they don’t recognize, Sutton said, but photos and documents don’t seem as dangerous because they cannot, in and of themselves, launch code. Attackers know this and are looking for new ways to penetrate the firewall.
IDefense recommends user awareness as the best defense against this class of attack. The company’s report said users should be aware of the existence of such attacks and proceed with caution when following links from suspicious or unsolicited e-mail, according to iDefense, and users should consider using an unaffected version of Adobe Acrobat, such as Acrobat 7.0.