 |
|||||
|
|
|
|||
|
|
 |
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|||
|
|
 |
|
|
|
|
|
|
|||
|
|||||
|
|||||
|
|||||
|
|
|
|||
|
|
|
|
||
|
|
|
|||
|
|||||
| Reference: | CERT-IST/DG-2009.018 |
| Version: | 1.1 |
| Version date: | 13 January 2010 |
|
|
Vulnerability Classification
| Risk: |
|
||
| Impact: | Get access | ||
| Confidence: | Vendor-acknowledged | ||
| Attack expertise: | Skilled | ||
| Attack requirements: | Remote (no account) over a standard service | ||
|
|||
System Information
| Affected Platform(s): |
|
| Affected Software(s): |
|
| Impacted products |
Description
| Publication context: |
|
| For this "0-day" vulnerability, the Cert-IST has already published the "VulnCoord-2009.020" message and the "FA-2009.0238" flaw under investigation. We now release this Potential Danger notice because there is now a high risk to see attacks based on this vulnerability. |
|
| Problem description: |
|
|
A new vulnerability (CVE-2009-4324) has been discovered in Adobe Reader and Acrobat. It allows a booby-trapped PDF file to execute harmful actions on the computer where the file is opened with a vulnerable Adobe software. Adobe indicates that this vulnerability has already been used in limited and targeted "0-Day" attacks. But an exploit code for this vulnerability was released on December 16th 2009, and we consider there is now a higher risk to observe more and more attacks in a near future. Adobe announced that it will release the patches for this vulnerability on the 12th of January 2010. The vendor recommends to apply workarounds (see the "solution" section below) to reduce exposure. |
|
| Technical information: |
|
| Adobe does not provide any detail regarding this vulnerability. It is reportedly a flaw in the handling of the "Doc.media.newPlayer" method by Adobe Reader and Acrobat. The vulnerability can be used by a specially crafted PDF file to execute arbitrary code with the privileges of the user who opens this document with a vulnerable Adobe product. First attacks seem to have occurred on the 11th of December 2009 and appeared as rogue PDF e-mail attachments sent to targeted victims. The attack can also be performed by other means, e.g. by downloading a rogue PDF file from a website. |
|
Solution
[Version 1.1] On 12-Jan-2010, Adobe released patches for this vulnerability (see solution 1). [Versions 1.0] When this Potential Danger Notice was first released, no patch was available from Adobe to fix the vulnerability. At that time, only workarounds were available (see solution 2). |
|
01 - Update Adobe Reader and Acrobat
Note: Support has ended for Adobe Reader 8.x on the UNIX platform, and Adobe Reader 7.x and Acrobat 7.x on Windows, Macintosh and UNIX platforms.
02 - Workarounds regarding the Adobe Flash Player vulnerability While waiting for an official patch from Adobe, disable the JavaScript handling in Adobe Reader and Acrobat. This prevents the attack from succeeding. This measure should also be enforced permanently because it prevents most of the PDF attacks. It has only limited side effects because Javascript is almost never used by regular PDF files. Adobe provides additional mitigation guidances to reduce the risk:
Refer to the Adobe advisory to get the details on these workarounds. |
|
Standard vulnerability IDs
|
|
Additional Resources
|
|
History
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||