Vulnerability Note VU#184820

Adobe Acrobat does not adequately validate Acrobat JavaScript

Original Release date: 13 May 2003 | Last revised: 10 Jul 2003

Overview

Adobe Acrobat contains a vulnerability in its JavaScript parsing engine that could allow an attacker to place arbitrary files on the local file system.

Description

Different versions of Adobe Acrobat software can create, modify, and read Portable Document Format (PDF) files. Acrobat JavaScript implements PDF-specific objects, methods, and properties and provides functionality similar to that of HTML client JavaScript. More information about Acrobat JavaScript is available from Acrobat 5 JavaScript Training site and in the Acrobat JavaScript Object Specification.

A vulnerability in the way Acrobat 5 validates JavaScript in PDF files could allow arbitrary files to be written to any location on the local file system that is writeable by the user running Acrobat. From the Adobe Acrobat 5.0.5 Security, Accessibility, and Forms patch:

    Due to a vulnerability in the JavaScript parsing engine, a malicious PDF document can instruct Acrobat to write code into the user's Plug-ins folder. Any file in the user's Plug-ins folder that is developed to the Acrobat plug-in specification will automatically install and run when a user launches Acrobat.
According to Adobe, the full version of Acrobat 5 and Acrobat Approval 5 for the Windows platform are vulnerable. Acrobat 6 and all versions of Acrobat Reader are not vulnerable. Acrobat and Acrobat Approval for Macintosh and Acrobat for UNIX are not vulnerable.

Impact

An attacker could cause arbitrary files to be written to the local file system within the scope of the users' permissions.
A virus (W32.Yourde) that exploits this vulnerability has been discovered. This virus does not destroy data. More detailed information is available in write-ups from Symantec and McAfee.

Solution


Apply Patch or Upgrade

Install the Adobe Acrobat 5.0.5 Security, Accessibility, and Forms patch or upgrade to Acrobat 6 or later.


Disable JavaScript

Acrobat JavaScript can be disabled in the General preferences dialog (Edit > Preferences > General > JavaScript).

Restrict Access to Plug-ins Directory

Use NTFS file permissions to prevent users from writing to the Plug-ins directory (typically C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Plug_ins). This will protect against the W32.Yourde virus, but it will not prevent malicious JavaScript from writing to other locations.

Remove JavaScript Plug-in

Remove the JavaScript plug-in (EScript.api) from the Plug-ins directory. This will effectively disable Acrobat JavaScript and may cause other unexpected results.

Maintain Anti-Virus Software

As a general best practice, maintain updated anti-virus software. Links to anti-virus vendors and other information are available on the Computer Virus Resources page.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Adobe Systems IncorporatedAffected-13 May 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by John Landwehr of Adobe Systems Inc.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2003-0284
  • Date Public: 30 Apr 2003
  • Date First Published: 13 May 2003
  • Date Last Updated: 10 Jul 2003
  • Severity Metric: 4.65
  • Document Revision: 35

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.