Risk
10/16/2009
03:13 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

IOActive Discovers Critical Flaw In Adobe Reader 9.1.2

IOActive senior security consultant Richard van Eeden discovers security flaw that enables arbitrary file creation

Seattle, Wash—October 13, 2009. IOActive, a leading provider of software assurance, compliance, and smart grid security services, in conjunction with the United States Computer Readiness Team (US-CERT), today announced that Richard van Eeden, a Senior Security Consultant at IOActive, discovered a security flaw in Adobe Acrobat and Reader that could be leveraged to lead to full-system compromise simply by opening a specially crafted malicious PDF file.

Adobe products have long touted the ability to enable organizations to collaborate and share information in heterogeneous environments. Adobe Reader software is the global standard for electronic document sharing, and is the only commercial PDF file viewer that can open and interact with all PDF documents. These products are widely deployed throughout not only corporations but governments as well.

"Attackers' interests have become increasingly focused on exploiting popular client-side software programs, making it critical for large software vendors, such as Adobe, to demonstrate proactive security stewardship over the global software ecosystem through a properly executed Security Development Lifecycle. Issuing over 20 security fixes for Adobe Acrobat in this latest patch cycle simply highlights Adobe's immature and reactive approach to software security and potentially puts their customers at financial, operational, and legal risk," said Josh Pennell, President and founder of IOActive. "If possible, users should consider sandboxing or identify replacements for software products that have proven to be lacking in security sophistication."

van Eeden discovered that many JavaScript methods of the Document Object do not honor the Privileged Context and Safe Path settings. IOActive was able to execute certain privileged JavaScript methods because Adobe Reader contains a vulnerability that supports calling "secure" functions in a non-secure context. This capability can be used to create arbitrary files and folders on a targeted file system, resulting in possible full-system compromise simply by opening the malicious PDF.

Depending on the user privileges, the vulnerability could allow an attacker to write to any file on the system. If a user running Adobe Reader loads a malicious PDF, it could write or create to any file that the user has access to. There would be a range of detrimental consequences if this occurred. It would make user files very vulnerable; an attacker could write to the file, alter the file content, or even empty the file. Attackers also have the capability to make the system perform whatever command they wish by altering existing scripts for functionality such as system startup. This would allow them to achieve privilege escalation, which would promote the user who opened the document to administration or root-level. Worst-case scenario, however, is that an attacker could leverage the combination of privilege escalation, arbitrary file, and writing to a PDF to develop a worm and send it via email.

This discovery continues to drive home the point made by Stephen Northcutt, president of SANS Technology Institute, when he cautioned users against using Adobe products on August 4 due to an increasing number of Adobe security vulnerabilities that had been reported this year. "I think organizations should avoid Adobe if possible. Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products whenever you can."

As a result of this discovery, US-CERT today issued a security advisory about Adobe Reader 9.1.2, and is encouraging users to disable JavaScript in the application. IOActive has also released a series of best practices recommended for Adobe users, available here.

About IOActive Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, router, aerospace, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts the likes of Dan Kaminsky, Ilja van Sprundel, Mike Davis, Tiller Beauchamp, Ward Spangenberg, and Wes Brown—talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, Shakacon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com

About Richard van Eeden Richard van Eeden is a Senior Security Consultant at IOActive, experienced in enterprise-level application assessment and consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. van Eeden has worked as a vulnerability researcher, security consultant, and system administrator for numerous public and private entities in The Netherlands.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.