|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#184820
Adobe Acrobat does not adequately validate Acrobat JavaScript
OverviewAdobe Acrobat contains a vulnerability in its JavaScript parsing engine that could allow an attacker to place arbitrary files on the local file system.
I. DescriptionDifferent versions of Adobe Acrobat software can create, modify, and read Portable Document Format (PDF) files. Acrobat JavaScript implements PDF-specific objects, methods, and properties and provides functionality similar to that of HTML client JavaScript. More information about Acrobat JavaScript is available from Acrobat 5 JavaScript Training site and in the Acrobat JavaScript Object Specification.
A vulnerability in the way Acrobat 5 validates JavaScript in PDF files could allow arbitrary files to be written to any location on the local file system that is writeable by the user running Acrobat. From the Adobe Acrobat 5.0.5 Security, Accessibility, and Forms patch:
Due to a vulnerability in the JavaScript parsing engine, a malicious PDF document can instruct Acrobat to write code into the user's Plug-ins folder. Any file in the user's Plug-ins folder that is developed to the Acrobat plug-in specification will automatically install and run when a user launches Acrobat.
According to Adobe, the full version of Acrobat 5 and Acrobat Approval 5 for the Windows platform are vulnerable. Acrobat 6 and all versions of Acrobat Reader are not vulnerable. Acrobat and Acrobat Approval for Macintosh and Acrobat for UNIX are not vulnerable.
II. ImpactAn attacker could cause arbitrary files to be written to the local file system within the scope of the users' permissions.
A virus (W32.Yourde) that exploits this vulnerability has been discovered. This virus does not destroy data. More detailed information is available in write-ups from Symantec and McAfee.
III. Solution
Apply Patch or Upgrade
Install the Adobe Acrobat 5.0.5 Security, Accessibility, and Forms patch or upgrade to Acrobat 6 or later.
Disable JavaScript
Acrobat JavaScript can be disabled in the General preferences dialog (Edit > Preferences > General > JavaScript).
Restrict Access to Plug-ins Directory
Use NTFS file permissions to prevent users from writing to the Plug-ins directory (typically C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Plug_ins). This will protect against the W32.Yourde virus, but it will not prevent malicious JavaScript from writing to other locations.
Remove JavaScript Plug-in
Remove the JavaScript plug-in (EScript.api) from the Plug-ins directory. This will effectively disable Acrobat JavaScript and may cause other unexpected results.
Maintain Anti-Virus Software
As a general best practice, maintain updated anti-virus software. Links to anti-virus vendors and other information are available on the Computer Virus Resources page.
Systems Affected
References
http://www.cert.org/other_sources/viruses.html
http://www.adobe.com/support/downloads/detail.jsp?ftpID=2121
http://securityresponse.symantec.com/avcenter/venc/data/w32.yourde.html
http://vil.nai.com/vil/content/v_100269.htm
http://partners.adobe.com/asn/developer/training/acrobat/javascript/main.html
http://partners.adobe.com/asn/acrobat/docs.jsp
http://partners.adobe.com/asn/developer/pdfs/tn/5186AcroJS.pdf
Credit
This vulnerability was reported by John Landwehr of Adobe Systems Inc.
This document was written by Art Manion.
Other Information
| Date Public: | 2003-04-30 |
| Date First Published: | 2003-05-13 |
| Date Last Updated: | 2003-07-10 |
| CERT Advisory: | |
| CVE-ID(s): | CAN-2003-0284 |
| NVD-ID(s): | CAN-2003-0284 |
| US-CERT Technical Alerts: | |
| Metric: | 4.65 |
| Document Revision: | 35 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader