Risk
10/16/2009
03:13 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

IOActive Discovers Critical Flaw In Adobe Reader 9.1.2

IOActive senior security consultant Richard van Eeden discovers security flaw that enables arbitrary file creation

Seattle, Wash—October 13, 2009. IOActive, a leading provider of software assurance, compliance, and smart grid security services, in conjunction with the United States Computer Readiness Team (US-CERT), today announced that Richard van Eeden, a Senior Security Consultant at IOActive, discovered a security flaw in Adobe Acrobat and Reader that could be leveraged to lead to full-system compromise simply by opening a specially crafted malicious PDF file.

Adobe products have long touted the ability to enable organizations to collaborate and share information in heterogeneous environments. Adobe Reader software is the global standard for electronic document sharing, and is the only commercial PDF file viewer that can open and interact with all PDF documents. These products are widely deployed throughout not only corporations but governments as well.

"Attackers' interests have become increasingly focused on exploiting popular client-side software programs, making it critical for large software vendors, such as Adobe, to demonstrate proactive security stewardship over the global software ecosystem through a properly executed Security Development Lifecycle. Issuing over 20 security fixes for Adobe Acrobat in this latest patch cycle simply highlights Adobe's immature and reactive approach to software security and potentially puts their customers at financial, operational, and legal risk," said Josh Pennell, President and founder of IOActive. "If possible, users should consider sandboxing or identify replacements for software products that have proven to be lacking in security sophistication."

van Eeden discovered that many JavaScript methods of the Document Object do not honor the Privileged Context and Safe Path settings. IOActive was able to execute certain privileged JavaScript methods because Adobe Reader contains a vulnerability that supports calling "secure" functions in a non-secure context. This capability can be used to create arbitrary files and folders on a targeted file system, resulting in possible full-system compromise simply by opening the malicious PDF.

Depending on the user privileges, the vulnerability could allow an attacker to write to any file on the system. If a user running Adobe Reader loads a malicious PDF, it could write or create to any file that the user has access to. There would be a range of detrimental consequences if this occurred. It would make user files very vulnerable; an attacker could write to the file, alter the file content, or even empty the file. Attackers also have the capability to make the system perform whatever command they wish by altering existing scripts for functionality such as system startup. This would allow them to achieve privilege escalation, which would promote the user who opened the document to administration or root-level. Worst-case scenario, however, is that an attacker could leverage the combination of privilege escalation, arbitrary file, and writing to a PDF to develop a worm and send it via email.

This discovery continues to drive home the point made by Stephen Northcutt, president of SANS Technology Institute, when he cautioned users against using Adobe products on August 4 due to an increasing number of Adobe security vulnerabilities that had been reported this year. "I think organizations should avoid Adobe if possible. Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products whenever you can."

As a result of this discovery, US-CERT today issued a security advisory about Adobe Reader 9.1.2, and is encouraging users to disable JavaScript in the application. IOActive has also released a series of best practices recommended for Adobe users, available here.

About IOActive Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, router, aerospace, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts the likes of Dan Kaminsky, Ilja van Sprundel, Mike Davis, Tiller Beauchamp, Ward Spangenberg, and Wes Brown—talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, Shakacon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com

About Richard van Eeden Richard van Eeden is a Senior Security Consultant at IOActive, experienced in enterprise-level application assessment and consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. van Eeden has worked as a vulnerability researcher, security consultant, and system administrator for numerous public and private entities in The Netherlands.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.