Adobe fixes critical vulnerability in Acrobat and Reader
Adobe has released the Adobe Reader and Acrobat 9.1 update for Windows and Mac that closes a critical security hole. The vulnerability allowed for malicious code to be injected and executed with the users permissions by using a specially crafted PDF file. The hole has been known of since January and an exploit has been publicly available since mid February.
The cause of the hole is an error when decoding JBIG2 streams, which are used in PDF documents to store compressed black and white images. The first exploits required JavaScript to be enabled, which is why Adobe recommended a workaround of disabling JavaScript in Reader. However, current exploits do not rely on JavaScript in Reader and Acrobat.
Meanwhile, it was announced that Windows users may not even have to open a crafted document file to fall victim to an attack; all that is needed is for the document to be present somewhere on the systems disk. According to Didier Stevens, the problem occurs when the Windows Indexing Service calls on the Adobe PDF component for indexing PDF files (AcroRdIF.dll). This component then loads the PDF parser (AcroRD32.dll) which will read the crafted document and fall prey to the JBIG2 vulnerability. According to Stevens, in this case the injected code will run with more rights than the user, as the indexing service runs as a local system account.
By default, the Indexing Service in XP and Vista is not on, but will be turned on when Windows offers "to make future searches faster" after any Windows Explorer search. Because of this, users should install the updates as soon as possible. Where this is not possible, Stevens suggests that the indexing filter should be disabled by simply running regsvr32 /u AcroRdIf.dll
.
Updates for Adobe Reader and Acrobat, versions 7 and 8, are due on March 18th. An update for the Unix version of Adobe Reader, to version 9.1, is due on March 25th.
See also:
- Security Updates available for Adobe Reader 9 and Acrobat 9, advisory from Adobe.
- Zero day hole in Adobe Reader and Acrobat, a report from The H Security.
- Adobe patches critical hole in Flash Player, but PDF hole remains open, a report from The H Security.
(djwm)