03:13 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly

IOActive Discovers Critical Flaw In Adobe Reader 9.1.2

IOActive senior security consultant Richard van Eeden discovers security flaw that enables arbitrary file creation

Seattle, Wash—October 13, 2009. IOActive, a leading provider of software assurance, compliance, and smart grid security services, in conjunction with the United States Computer Readiness Team (US-CERT), today announced that Richard van Eeden, a Senior Security Consultant at IOActive, discovered a security flaw in Adobe Acrobat and Reader that could be leveraged to lead to full-system compromise simply by opening a specially crafted malicious PDF file.

Adobe products have long touted the ability to enable organizations to collaborate and share information in heterogeneous environments. Adobe Reader software is the global standard for electronic document sharing, and is the only commercial PDF file viewer that can open and interact with all PDF documents. These products are widely deployed throughout not only corporations but governments as well.

"Attackers' interests have become increasingly focused on exploiting popular client-side software programs, making it critical for large software vendors, such as Adobe, to demonstrate proactive security stewardship over the global software ecosystem through a properly executed Security Development Lifecycle. Issuing over 20 security fixes for Adobe Acrobat in this latest patch cycle simply highlights Adobe's immature and reactive approach to software security and potentially puts their customers at financial, operational, and legal risk," said Josh Pennell, President and founder of IOActive. "If possible, users should consider sandboxing or identify replacements for software products that have proven to be lacking in security sophistication."

van Eeden discovered that many JavaScript methods of the Document Object do not honor the Privileged Context and Safe Path settings. IOActive was able to execute certain privileged JavaScript methods because Adobe Reader contains a vulnerability that supports calling "secure" functions in a non-secure context. This capability can be used to create arbitrary files and folders on a targeted file system, resulting in possible full-system compromise simply by opening the malicious PDF.

Depending on the user privileges, the vulnerability could allow an attacker to write to any file on the system. If a user running Adobe Reader loads a malicious PDF, it could write or create to any file that the user has access to. There would be a range of detrimental consequences if this occurred. It would make user files very vulnerable; an attacker could write to the file, alter the file content, or even empty the file. Attackers also have the capability to make the system perform whatever command they wish by altering existing scripts for functionality such as system startup. This would allow them to achieve privilege escalation, which would promote the user who opened the document to administration or root-level. Worst-case scenario, however, is that an attacker could leverage the combination of privilege escalation, arbitrary file, and writing to a PDF to develop a worm and send it via email.

This discovery continues to drive home the point made by Stephen Northcutt, president of SANS Technology Institute, when he cautioned users against using Adobe products on August 4 due to an increasing number of Adobe security vulnerabilities that had been reported this year. "I think organizations should avoid Adobe if possible. Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products whenever you can."

As a result of this discovery, US-CERT today issued a security advisory about Adobe Reader 9.1.2, and is encouraging users to disable JavaScript in the application. IOActive has also released a series of best practices recommended for Adobe users, available here.

About IOActive Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, router, aerospace, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts the likes of Dan Kaminsky, Ilja van Sprundel, Mike Davis, Tiller Beauchamp, Ward Spangenberg, and Wes Brown—talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, Shakacon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com

About Richard van Eeden Richard van Eeden is a Senior Security Consultant at IOActive, experienced in enterprise-level application assessment and consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. van Eeden has worked as a vulnerability researcher, security consultant, and system administrator for numerous public and private entities in The Netherlands.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

Published: 2014-10-25
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.