Adobe Acrobat and Reader JavaScript Method Remote Code Execution Vulnerability
BID:29908
Info
Adobe Acrobat and Reader JavaScript Method Remote Code Execution Vulnerability
| Bugtraq ID: | 29908 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-2641 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 23 2008 12:00AM |
| Updated: | Nov 13 2008 08:54PM |
| Credit: | Information Security Team of the Johns Hopkins University Applied Physics Laboratory |
| Vulnerable: |
Sun Solaris 10.0_x86 Sun Solaris 10.0 S.u.S.E. openSUSE 10.3 S.u.S.E. openSUSE 10.2 Redhat Enterprise Linux Supplementary 5 server Redhat Enterprise Linux Extras 4 Redhat Enterprise Linux Extras 3 Redhat Enterprise Linux Desktop Supplementary 5 client Gentoo Linux Adobe Reader 8.1.2 Adobe Reader 8.1.1 Adobe Reader 7.0.9 Adobe Reader 7.0.8 Adobe Reader 7.0.7 Adobe Reader 7.0.6 Adobe Reader 7.0.5 Adobe Reader 7.0.4 Adobe Reader 7.0.3 Adobe Reader 7.0.2 Adobe Reader 7.0.1 Adobe Reader 7.0 Adobe Reader 8.1 Adobe Reader 8.0 Adobe Acrobat Professional 8.1.2 Adobe Acrobat Professional 8.1.1 Adobe Acrobat Professional 7.0.9 Adobe Acrobat Professional 7.0.8 Adobe Acrobat Professional 7.0.7 Adobe Acrobat Professional 7.0.6 Adobe Acrobat Professional 7.0.5 Adobe Acrobat Professional 7.0.4 Adobe Acrobat Professional 7.0.3 Adobe Acrobat Professional 7.0.2 Adobe Acrobat Professional 7.0.1 Adobe Acrobat Professional 8.1 Adobe Acrobat Professional 8.0 |
| Not Vulnerable: |
Adobe Reader 8.1.2 Security Updat Adobe Reader 7.1 Adobe Acrobat Professional 8.1.2 Security Updat Adobe Acrobat Professional 7.1 |
Discussion
Adobe Acrobat and Reader JavaScript Method Remote Code Execution Vulnerability
Adobe Acrobat and Reader are prone to a remote code-execution vulnerability because the software fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users.
The following applications are affected:
- Adobe Reader 8.0 through 8.1.2
- Adobe Reader 7.0.9 and prior
- Adobe Acrobat Professional, 3D and Standard 8.0 through 8.1.2
- Adobe Acrobat Professional, 3D and Standard 7.0.9 and prior
NOTE: This vulnerability may be related to the issue described in BID 29420 (Adobe Acrobat Reader Unspecified Remote Denial Of Service Vulnerability).
Adobe Acrobat and Reader are prone to a remote code-execution vulnerability because the software fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users.
The following applications are affected:
- Adobe Reader 8.0 through 8.1.2
- Adobe Reader 7.0.9 and prior
- Adobe Acrobat Professional, 3D and Standard 8.0 through 8.1.2
- Adobe Acrobat Professional, 3D and Standard 7.0.9 and prior
NOTE: This vulnerability may be related to the issue described in BID 29420 (Adobe Acrobat Reader Unspecified Remote Denial Of Service Vulnerability).
Exploit / POC
Adobe Acrobat and Reader JavaScript Method Remote Code Execution Vulnerability
The vendor says that this issue is currently being exploited in the wild.
The vendor says that this issue is currently being exploited in the wild.
Solution / Fix
Adobe Acrobat and Reader JavaScript Method Remote Code Execution Vulnerability
Solution:
The vendor has released an update. Please see the references for more information.
Sun Solaris 10.0
Adobe Reader 8.0
Adobe Acrobat Professional 8.0
Adobe Reader 8.1
Adobe Acrobat Professional 8.1
Adobe Reader 7.0
Adobe Acrobat Professional 7.0.1
Adobe Reader 7.0.1
Adobe Acrobat Professional 7.0.2
Adobe Reader 7.0.2
Adobe Reader 7.0.3
Adobe Acrobat Professional 7.0.3
Adobe Reader 7.0.4
Adobe Acrobat Professional 7.0.4
Adobe Acrobat Professional 7.0.5
Adobe Reader 7.0.5
Adobe Acrobat Professional 7.0.6
Adobe Reader 7.0.6
Adobe Acrobat Professional 7.0.7
Adobe Reader 7.0.7
Adobe Acrobat Professional 7.0.8
Adobe Reader 7.0.8
Adobe Acrobat Professional 7.0.9
Adobe Reader 7.0.9
Adobe Acrobat Professional 8.1.1
Adobe Reader 8.1.1
Adobe Reader 8.1.2
Adobe Acrobat Professional 8.1.2
Solution:
The vendor has released an update. Please see the references for more information.
Sun Solaris 10.0
Adobe Reader 8.0
-
Adobe AcrobatReaderUpd812_SU1_all.msi
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3967 -
Adobe AdbeRdrUpd812SU1_all_i386.dmg
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3966&fileID= 3689 -
Adobe AdbeRdrUpd812SU1_all_ppc.dmg
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3966&fileID= 3688
Adobe Acrobat Professional 8.0
-
Adobe AcrobatReaderUpd812_SU1_all.msi
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3975
Adobe Reader 8.1
-
Adobe AcrobatReaderUpd812_SU1_all.msi
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3967 -
Adobe AdbeRdrUpd812SU1_all_i386.dmg
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3966&fileID= 3689 -
Adobe AdbeRdrUpd812SU1_all_ppc.dmg
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3966&fileID= 3688
Adobe Acrobat Professional 8.1
-
Adobe AcrobatReaderUpd812_SU1_all.msi
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3975
Adobe Reader 7.0
-
Adobe AcroStdUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3947
Adobe Acrobat Professional 7.0.1
-
Adobe AcroProUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3948
Adobe Reader 7.0.1
-
Adobe AcroStdUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3947
Adobe Acrobat Professional 7.0.2
-
Adobe AcroProUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3948
Adobe Reader 7.0.2
-
Adobe AcroStdUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3947
Adobe Reader 7.0.3
-
Adobe AcroStdUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3947
Adobe Acrobat Professional 7.0.3
-
Adobe AcroProUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3948
Adobe Reader 7.0.4
-
Adobe AcroStdUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3947
Adobe Acrobat Professional 7.0.4
-
Adobe AcroProUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3948
Adobe Acrobat Professional 7.0.5
-
Adobe AcroProUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3948
Adobe Reader 7.0.5
-
Adobe AcroStdUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3947
Adobe Acrobat Professional 7.0.6
-
Adobe AcroProUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3948
Adobe Reader 7.0.6
-
Adobe AcroStdUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3947
Adobe Acrobat Professional 7.0.7
-
Adobe AcroProUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3948
Adobe Reader 7.0.7
-
Adobe AcroStdUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3947
Adobe Acrobat Professional 7.0.8
-
Adobe AcroProUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3948
Adobe Reader 7.0.8
-
Adobe AcroStdUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3947
Adobe Acrobat Professional 7.0.9
-
Adobe AcroProUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3948
Adobe Reader 7.0.9
-
Adobe AcroStdUpd710_all_cum.exe
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3947
Adobe Acrobat Professional 8.1.1
-
Adobe AcrobatReaderUpd812_SU1_all.msi
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3975
Adobe Reader 8.1.1
-
Adobe AcrobatReaderUpd812_SU1_all.msi
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3967 -
Adobe AdbeRdrUpd812SU1_all_i386.dmg
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3966&fileID= 3689 -
Adobe AdbeRdrUpd812SU1_all_ppc.dmg
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3966&fileID= 3688
Adobe Reader 8.1.2
-
Adobe AcrobatReaderUpd812_SU1_all.msi
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3967 -
Adobe AdbeRdrUpd812SU1_all_i386.dmg
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3966&fileID= 3689 -
Adobe AdbeRdrUpd812SU1_all_ppc.dmg
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3966&fileID= 3688
Adobe Acrobat Professional 8.1.2
-
Adobe AcrobatReaderUpd812_SU1_all.msi
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3975
References
Adobe Acrobat and Reader JavaScript Method Remote Code Execution Vulnerability
References:
References:
- Adobe Homepage (Adobe)
- RHSA-2008:0641-5 Critical: acroread security update (Red Hat)
- Security Update available for Adobe Reader and Acrobat 8.1.2 (Adobe)
- Sun Alert 240106 Multiple Security Vulnerabilities in the Adobe Reader may lead (Sun Microsystems)
- Vulnerability Note VU#788019 Adobe Reader and Adobe Acrobat contain an unspecifi (US-CERT)