03:13 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
Repost This

IOActive Discovers Critical Flaw In Adobe Reader 9.1.2

IOActive senior security consultant Richard van Eeden discovers security flaw that enables arbitrary file creation

Seattle, Wash—October 13, 2009. IOActive, a leading provider of software assurance, compliance, and smart grid security services, in conjunction with the United States Computer Readiness Team (US-CERT), today announced that Richard van Eeden, a Senior Security Consultant at IOActive, discovered a security flaw in Adobe Acrobat and Reader that could be leveraged to lead to full-system compromise simply by opening a specially crafted malicious PDF file.

Adobe products have long touted the ability to enable organizations to collaborate and share information in heterogeneous environments. Adobe Reader software is the global standard for electronic document sharing, and is the only commercial PDF file viewer that can open and interact with all PDF documents. These products are widely deployed throughout not only corporations but governments as well.

"Attackers' interests have become increasingly focused on exploiting popular client-side software programs, making it critical for large software vendors, such as Adobe, to demonstrate proactive security stewardship over the global software ecosystem through a properly executed Security Development Lifecycle. Issuing over 20 security fixes for Adobe Acrobat in this latest patch cycle simply highlights Adobe's immature and reactive approach to software security and potentially puts their customers at financial, operational, and legal risk," said Josh Pennell, President and founder of IOActive. "If possible, users should consider sandboxing or identify replacements for software products that have proven to be lacking in security sophistication."

van Eeden discovered that many JavaScript methods of the Document Object do not honor the Privileged Context and Safe Path settings. IOActive was able to execute certain privileged JavaScript methods because Adobe Reader contains a vulnerability that supports calling "secure" functions in a non-secure context. This capability can be used to create arbitrary files and folders on a targeted file system, resulting in possible full-system compromise simply by opening the malicious PDF.

Depending on the user privileges, the vulnerability could allow an attacker to write to any file on the system. If a user running Adobe Reader loads a malicious PDF, it could write or create to any file that the user has access to. There would be a range of detrimental consequences if this occurred. It would make user files very vulnerable; an attacker could write to the file, alter the file content, or even empty the file. Attackers also have the capability to make the system perform whatever command they wish by altering existing scripts for functionality such as system startup. This would allow them to achieve privilege escalation, which would promote the user who opened the document to administration or root-level. Worst-case scenario, however, is that an attacker could leverage the combination of privilege escalation, arbitrary file, and writing to a PDF to develop a worm and send it via email.

This discovery continues to drive home the point made by Stephen Northcutt, president of SANS Technology Institute, when he cautioned users against using Adobe products on August 4 due to an increasing number of Adobe security vulnerabilities that had been reported this year. "I think organizations should avoid Adobe if possible. Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products whenever you can."

As a result of this discovery, US-CERT today issued a security advisory about Adobe Reader 9.1.2, and is encouraging users to disable JavaScript in the application. IOActive has also released a series of best practices recommended for Adobe users, available here.

About IOActive Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, router, aerospace, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts the likes of Dan Kaminsky, Ilja van Sprundel, Mike Davis, Tiller Beauchamp, Ward Spangenberg, and Wes Brown—talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, Shakacon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com

About Richard van Eeden Richard van Eeden is a Senior Security Consultant at IOActive, experienced in enterprise-level application assessment and consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. van Eeden has worked as a vulnerability researcher, security consultant, and system administrator for numerous public and private entities in The Netherlands.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web