New zero-day JavaScript exploit targets Adobe Reader

New zero-day JavaScript exploit targets Adobe Reader
04/29/2009:

Adobe Systems Inc. confirmed on Tuesday, April 28, 2009, that it is investigating reports that its popular PDF viewing software, Adobe Reader, contains another critical vulnerability.

A hacker using the handle "Arr1val" has discovered and published two zero day exploitable vulnerabilities in the Adobe Reader and Acrobat. Both of them make it possible for an attacker to execute arbitrary code on systems with the affected products installed, by tricking users into opening a maliciously crafted PDF file. He tested them first using Linux, on Adobe Readers 8.14 and 9.1, which are the most recent versions. Later on he retested it using Windows and Mac computers are found the same vulnerability exists under those platforms. Interestingly, Adobe only recently released those versions to fix several other critical vulnerabilities in its Reader and Acrobat programs.

The new bug was first disclosed Monday (4/27/09) on the SecurityFocus website, which published advisory 34736 containing a link to proof-of-concept attack code. The advisory is titled: "Adobe Reader 'getAnnots()' JavaScript Function Remote Code Execution Vulnerability." An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application, according to the advisory.

According to Adobe, all versions of their Reader, even the most up-to-date versions, Reader 9.1 and Reader 8.1.4, are vulnerable. The affected platforms include at least Windows, Mac and Linux and Unix.

This information has been posted on the Adobe website, by the Adobe Product Security Incident Response Team (PSIRT), in an article titled: Update on Adobe Reader Issue

"This is an update on the Adobe Reader vulnerability first discussed on the Adobe PSIRT blog on April 27 (“Potential Adobe Reader Issue”). All currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable to this issue. Adobe plans to provide updates for all supported versions for all platforms (Windows, Macintosh and Unix) to resolve this issue. We are working on a development schedule for these updates and will post a timeline as soon as possible. We are currently not aware of any reports of exploits in the wild for this issue. To mitigate the issue disable JavaScript in Adobe Reader and Acrobat using the following instructions below:"

Launch Acrobat or Adobe Reader.

Select Edit>Preferences

Select the JavaScript Category

Uncheck the ‘Enable Acrobat JavaScript’ option

Click OK

Adobe will continue to provide updates on these issues via the Security Advisory section of the Adobe web site, as well as the Adobe PSIRT blog.

I will publish additional details as they become available. You should also check the Adobe website and blog for updates and use the built-in Check for Updates function found under the Help menu, on all current versions of Adobe Reader.

Note, that users who operate with less that Administrator privileges would be less impacted if they came upon or were lured to a website containing exploit codes for this vulnerability, or any other.

Trend Micro Internet Security products,

for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.