search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Adobe Acrobat AcroPDF ActiveX control fails to properly handle malformed input

Vulnerability Note VU#198908

Original Release Date: 2006-11-30 | Last Revised: 2007-03-19

Overview

The Adobe Acrobat AcroPDF ActiveX control fails to properly handle malformed input to its methods. This could allow an attacker to cause the application using the ActiveX control to crash.

Description

Adobe Acrobat and Adobe Reader provide an ActiveX control to allow applications such as Internet Explorer to open PDF files. The control, which is provided by the file AcroPDF.dll, fails to properly handle input to its methods. By calling certain methods with specific input, the application hosting the ActiveX control can crash.

More information about this issue can be found in Adobe Security bulletin APSB06-20.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to cause Internet Explorer (or any program using the Adobe AcroPDF control) to crash. Note that this crash does not appear to be exploitable to execute arbitrary code.

Solution

Upgrade Adobe Reader as prescribed by Adobe
Adobe has addressed this issue in Adobe Reader 8. Users should upgrade to Adobe Reader 8 as soon as possible.

Users who are unable to upgrade to Adobe Reader 8 should upgrade to an unaffected version of the AcroPDF ActiveX control. Instrcutions on how to upgrade the AcroPDF ActiveX control are listed in Adobe Security bulletin APSB06-20.

Disable the AcroPDF ActiveX control


According to Adobe Security advisory APSA06-20, the AcroPDF ActiveX control can be disabled by taking the following steps:

    1. Exit Internet Explorer and Adobe Reader.
    2. Browse to <volume>:\Program Files\Adobe\Acrobat 7.0\ActiveX.
       Note: If you did not install Acrobat to the default location, browse to the location of your Acrobat 7.0 folder.
    3. Select AcroPDF.dll and delete it.
    Disable the AcroPDF ActiveX control in Internet Explorer

    The Adobe AcroPDF ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

    {CA8A9780-280D-11CF-A24D-444553540000}
    More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CA8A9780-280D-11CF-A24D-444553540000}]
    "Compatibility Flags"=dword:00000400
    Disable ActiveX

    Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document. 

    Vendor Information

    198908
     
    Affected   Unknown   Unaffected

    Adobe

    Notified:  November 30, 2006 Updated:  December 07, 2006

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    Please see Adobe Security advisory APSA06-02 and Adobe Security bulletin APSB06-20:

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base N/A N/A
    Temporal N/A N/A
    Environmental N/A

    References

    Acknowledgements

    This vulnerability was reported by Michal Bucko.

    This document was written by Will Dormann.

    Other Information

    CVE IDs: CVE-2006-6027
    Severity Metric: 9.32
    Date Public: 2006-11-17
    Date First Published: 2006-11-30
    Date Last Updated: 2007-03-19 19:28 UTC
    Document Revision: 18

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.