In association with heise online

11 March 2009, 09:34

Adobe fixes critical vulnerability in Acrobat and Reader

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Adobe has released the Adobe Reader and Acrobat 9.1 update for Windows and Mac that closes a critical security hole. The vulnerability allowed for malicious code to be injected and executed with the users permissions by using a specially crafted PDF file. The hole has been known of since January and an exploit has been publicly available since mid February.

The cause of the hole is an error when decoding JBIG2 streams, which are used in PDF documents to store compressed black and white images. The first exploits required JavaScript to be enabled, which is why Adobe recommended a workaround of disabling JavaScript in Reader. However, current exploits do not rely on JavaScript in Reader and Acrobat.

Meanwhile, it was announced that Windows users may not even have to open a crafted document file to fall victim to an attack; all that is needed is for the document to be present somewhere on the systems disk. According to Didier Stevens, the problem occurs when the Windows Indexing Service calls on the Adobe PDF component for indexing PDF files (AcroRdIF.dll). This component then loads the PDF parser (AcroRD32.dll) which will read the crafted document and fall prey to the JBIG2 vulnerability. According to Stevens, in this case the injected code will run with more rights than the user, as the indexing service runs as a local system account.

By default, the Indexing Service in XP and Vista is not on, but will be turned on when Windows offers "to make future searches faster" after any Windows Explorer search. Because of this, users should install the updates as soon as possible. Where this is not possible, Stevens suggests that the indexing filter should be disabled by simply running regsvr32 /u AcroRdIf.dll.

Updates for Adobe Reader and Acrobat, versions 7 and 8, are due on March 18th. An update for the Unix version of Adobe Reader, to version 9.1, is due on March 25th.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit