Wednesday, September 8, 2010

ZeroDay - Adobe Reader / Acrobat Font Parsing Buffer Overflow Vulnerability

A vulnerability has been discovered in Adobe Reader, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the font parsing in CoolType.dll and can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted PDF file.

The vulnerability is confirmed in versions 8.2.4 and 9.3.4. Other versions may also be affected.

NOTE: The vulnerability is currently being actively exploited.

Do not open untrusted files.

Reported as a 0-day.



As noted in the Contagio Blog, AV detection for the new PDF and the resulting dropped malware is very poor - about 2-3% (e.g. 1 or 2 out of 43 AVs).

Based on other information that I have seen, I would recommend users disable JavaScript inside Adobe Reader.

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option

The author of the Contagio Blog states that Adobe Security had a copy of the new malicious PDF and is analyzing it.

No comments:

Post a Comment