Risk
10/16/2009
03:13 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

IOActive Discovers Critical Flaw In Adobe Reader 9.1.2

IOActive senior security consultant Richard van Eeden discovers security flaw that enables arbitrary file creation

Seattle, Wash—October 13, 2009. IOActive, a leading provider of software assurance, compliance, and smart grid security services, in conjunction with the United States Computer Readiness Team (US-CERT), today announced that Richard van Eeden, a Senior Security Consultant at IOActive, discovered a security flaw in Adobe Acrobat and Reader that could be leveraged to lead to full-system compromise simply by opening a specially crafted malicious PDF file.

Adobe products have long touted the ability to enable organizations to collaborate and share information in heterogeneous environments. Adobe Reader software is the global standard for electronic document sharing, and is the only commercial PDF file viewer that can open and interact with all PDF documents. These products are widely deployed throughout not only corporations but governments as well.

"Attackers' interests have become increasingly focused on exploiting popular client-side software programs, making it critical for large software vendors, such as Adobe, to demonstrate proactive security stewardship over the global software ecosystem through a properly executed Security Development Lifecycle. Issuing over 20 security fixes for Adobe Acrobat in this latest patch cycle simply highlights Adobe's immature and reactive approach to software security and potentially puts their customers at financial, operational, and legal risk," said Josh Pennell, President and founder of IOActive. "If possible, users should consider sandboxing or identify replacements for software products that have proven to be lacking in security sophistication."

van Eeden discovered that many JavaScript methods of the Document Object do not honor the Privileged Context and Safe Path settings. IOActive was able to execute certain privileged JavaScript methods because Adobe Reader contains a vulnerability that supports calling "secure" functions in a non-secure context. This capability can be used to create arbitrary files and folders on a targeted file system, resulting in possible full-system compromise simply by opening the malicious PDF.

Depending on the user privileges, the vulnerability could allow an attacker to write to any file on the system. If a user running Adobe Reader loads a malicious PDF, it could write or create to any file that the user has access to. There would be a range of detrimental consequences if this occurred. It would make user files very vulnerable; an attacker could write to the file, alter the file content, or even empty the file. Attackers also have the capability to make the system perform whatever command they wish by altering existing scripts for functionality such as system startup. This would allow them to achieve privilege escalation, which would promote the user who opened the document to administration or root-level. Worst-case scenario, however, is that an attacker could leverage the combination of privilege escalation, arbitrary file, and writing to a PDF to develop a worm and send it via email.

This discovery continues to drive home the point made by Stephen Northcutt, president of SANS Technology Institute, when he cautioned users against using Adobe products on August 4 due to an increasing number of Adobe security vulnerabilities that had been reported this year. "I think organizations should avoid Adobe if possible. Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products whenever you can."

As a result of this discovery, US-CERT today issued a security advisory about Adobe Reader 9.1.2, and is encouraging users to disable JavaScript in the application. IOActive has also released a series of best practices recommended for Adobe users, available here.

About IOActive Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, router, aerospace, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts the likes of Dan Kaminsky, Ilja van Sprundel, Mike Davis, Tiller Beauchamp, Ward Spangenberg, and Wes Brown—talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, Shakacon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com

About Richard van Eeden Richard van Eeden is a Senior Security Consultant at IOActive, experienced in enterprise-level application assessment and consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. van Eeden has worked as a vulnerability researcher, security consultant, and system administrator for numerous public and private entities in The Netherlands.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web