[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 481/05 - Three Adobe Reader/Acrobat Security Advisories:



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 481/05 dated 28.06.05  Time: 14:20  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Three Adobe Reader/Acrobat Security Advisories:
1. CAN-2005-1306 - XML External Entity vulnerability in Adobe Reader/Acrobat
2. CAN-2005-1624 - Acrobat/Reader Updater elevated folder permissions 
3. CAN-2005-1623 - Arbitrary application execution from a malicious PDF document 

Detail
====== 

1. The vulnerability is within the Adobe Reader control .  If an XML script is 
embedded in JavaScript, it is possible to discover the existence of local files.  
An attacker could then use the information gathered for malicious purposes. 

2. The vulnerability is within Adobe Reader/Acrobat's updater.  The 
updater elevates the permissions of a pre-existing Safari's Frameworks folder.  
If no Frameworks folder exists, the Updater will create a new Frameworks folder 
with elevated permissions for all users.

3. he vulnerability is within Adobe Reader/Acrobat.  If malicious 
JavaScript is embedded in PDF files, it is possible to launch arbitrary 
executables on a local machine. 




1.



updated advisory - MAC OS update now available 

- ------------------------------ 

Advisory Name : XML External Entity vulnerability in Adobe Reader/Acrobat   

Release Date: June 15th , 2005 

Last Updated: June 27th , 2005 

Product : Adobe Reader 7.0 and 7.0.1, Adobe Acrobat 7.0 and 7.0.1 

Platform : Macintosh and Windows 

Vulnerability Identifier : CAN-2005-1306 

Overview :  A vulnerability within Adobe Reader/Acrobat has been identified.  
Under certain circumstances, using XML scripts it is possible to discover the 
existence of local files. 

Adobe has solutions available that can rectify these issues.  Please refer to 
the 'Recommendations' section for further information. 

Effect :  I f exploited it may be possible to discover the existence of local 
files on an end-user system. 

Details : The vulnerability is within the Adobe Reader control .  If an XML 
script is embedded in JavaScript, it is possible to discover the existence of 
local files.  An attacker could then use the information gathered for malicious 
purposes. 

However the impact is minimized due to the fact that the existence of local files 
can only be discovered if the complete filenames and paths are known in advance 
by the attacker. 

Recommendations :  

.         If you use Adobe Reader 7.0 or 7.0.1, download the update to Adobe Reader 
7.0.2 at www.adobe.com/support/downloads/main.html <http://www.adobe.com/support/downloads/main.html> 

.         If you use Adobe Acrobat 7.0 or 7.0.1, download the update to Adobe Acrobat 
7.0.2 at www.adobe.com/support/downloads/main.html 

Caveats : None 

Vulnerability Identifier Cross-Reference : CVE ID: CAN-2005-1306 

Acknowledgment: Adobe would like to thank Sverre H. Huseby, thathost.com, for reporting the issue. 

Adobe Disclaimer 

License agreement 

By using software of Adobe Systems Incorporated or its subsidiaries ("Adobe"); 
you agree to the following terms and conditions. If you do not agree with such 
terms and conditions; do not use the software. The terms of an end user license 
agreement accompanying a particular software file upon installation or download 
of the software shall supersede the terms presented below. 

The export and re-export of Adobe software products are controlled by the United 
States Export Administration Regulations and such software may not be exported or 
re-exported to Cuba; Iran; Iraq; Libya; North Korea; Sudan; or Syria or any country 
to which the United States embargoes goods. In addition; Adobe software may not be 
distributed to persons on the Table of Denial Orders; the Entity List; or the 
List of Specially Designated Nationals. 

By downloading or using an Adobe software product you are certifying that you are not 
a national of Cuba; Iran; Iraq; Libya; North Korea; Sudan; or Syria or any country to 
which the United States embargoes goods and that you are not a person on the Table of 
Denial Orders; the Entity List; or the List of Specially Designated Nationals. 

If the software is designed for use with an application software product 
(the "Host Application") published by Adobe; Adobe grants you a non-exclusive license 
to use such software with the Host Application only; provided you possess a valid 
license from Adobe for the Host Application. Except as set forth below; such software 
is licensed to you subject to the terms and conditions of the End User License 
Agreement from Adobe governing your use of the Host Application. 

DISCLAIMER OF WARRANTIES: YOU AGREE THAT ADOBE HAS MADE NO EXPRESS WARRANTIES TO 
YOU REGARDING THE SOFTWARE AND THAT THE SOFTWARE IS BEING PROVIDED TO YOU "AS IS" 
WITHOUT WARRANTY OF ANY KIND. ADOBE DISCLAIMS ALL WARRANTIES WITH REGARD TO THE 
SOFTWARE; EXPRESS OR IMPLIED; INCLUDING; WITHOUT LIMITATION; ANY IMPLIED WARRANTIES 
OF FITNESS FOR A PARTICULAR PURPOSE; MERCHANTABILITY; MERCHANTABLE QUALITY OR 
NONINFRINGEMENT OF THIRD PARTY RIGHTS. Some states or jurisdictions do not allow 
the exclusion of implied warranties; so the above limitations may not apply to you. 

LIMIT OF LIABILITY: IN NO EVENT WILL ADOBE BE LIABLE TO YOU FOR ANY LOSS OF USE; 
INTERRUPTION OF BUSINESS; OR ANY DIRECT; INDIRECT; SPECIAL; INCIDENTAL; OR 
CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST PROFITS) REGARDLESS OF THE 
FORM OF ACTION WHETHER IN CONTRACT; TORT (INCLUDING NEGLIGENCE); STRICT PRODUCT 
LIABILITY OR OTHERWISE; EVEN IF ADOBE HAS BEEN ADVISED OF THE POSSIBILITY OF 
SUCH DAMAGES. Some states or jurisdictions do not allow the exclusion or 
limitation of incidental or consequential damages; so the above limitation or 
exclusion may not apply to you. 

 <http://advisories.adobe.com/db/40037/3965750/1.gif> 
- --- 


2.


Advisory Name : Acrobat/Reader Updater elevated folder permissions 

Release Date: June 27th , 2005 

Product : Adobe Reader 7.0 and 7.0.1, Adobe Acrobat 7.0 and 7.0.1 

Platform : Macintosh 

Vulnerability Identifier : CAN-2005-1624 

Overview :  A vulnerability within Adobe Reader/Acrobat has been identified.
Adobe Acrobat/Reader's updater will elevate Safari's Frameworks folder 
permissions for all users when Reader/Acrobat updates are downloaded. 

Adobe has solutions available that can rectify these issues.  Please refer 
to the 'Recommendations' section for further information. 

Effect :  If exploited it may be possible for attackers who can get access 
to the end user's machine to add their own frameworks. 

Details : The vulnerability is within Adobe Reader/Acrobat's updater.  The 
updater elevates the permissions of a pre-existing Safari's Frameworks folder.  
If no Frameworks folder exists, the Updater will create a new Frameworks folder 
with elevated permissions for all users. 

Recommendations :  

.         If you use Adobe Reader 7.0 or 7.0.1, download the update to Adobe 
Reader 7.0.2 at www.adobe.com/support/downloads/main.html 

.         If you use Adobe Acrobat 7.0 or 7.0.1, download the update to Adobe 
Acrobat 7.0.2 at www.adobe.com/support/downloads/main.html 

Caveats : None 

Vulnerability Identifier Cross-Reference : CVE ID: CAN-2005-1624 

Acknowledgment: Adobe would like to thank John C. Welch, for reporting the issue. 

Adobe Disclaimer 

License agreement 

By using software of Adobe Systems Incorporated or its subsidiaries ("Adobe"); 
you agree to the following terms and conditions. If you do not agree with such 
terms and conditions; do not use the software. The terms of an end user license 
agreement accompanying a particular software file upon installation or download 
of the software shall supersede the terms presented below. 

The export and re-export of Adobe software products are controlled by the United 
States Export Administration Regulations and such software may not be exported 
or re-exported to Cuba; Iran; Iraq; Libya; North Korea; Sudan; or Syria or any 
country to which the United States embargoes goods. In addition; Adobe software 
may not be distributed to persons on the Table of Denial Orders; the Entity List; 
or the List of Specially Designated Nationals. 

By downloading or using an Adobe software product you are certifying that you are 
not a national of Cuba; Iran; Iraq; Libya; North Korea; Sudan; or Syria or any 
country to which the United States embargoes goods and that you are not a person 
on the Table of Denial Orders; the Entity List; or the List of Specially Designated 
Nationals. 

If the software is designed for use with an application software product 
(the "Host Application") published by Adobe; Adobe grants you a non-exclusive 
license to use such software with the Host Application only; provided you possess 
a valid license from Adobe for the Host Application. Except as set forth below; 
such software is licensed to you subject to the terms and conditions of the End 
User License Agreement from Adobe governing your use of the Host Application. 

DISCLAIMER OF WARRANTIES: YOU AGREE THAT ADOBE HAS MADE NO EXPRESS WARRANTIES TO 
YOU REGARDING THE SOFTWARE AND THAT THE SOFTWARE IS BEING PROVIDED TO YOU "AS IS" 
WITHOUT WARRANTY OF ANY KIND. ADOBE DISCLAIMS ALL WARRANTIES WITH REGARD TO THE 
SOFTWARE; EXPRESS OR IMPLIED; INCLUDING; WITHOUT LIMITATION; ANY IMPLIED WARRANTIES 
OF FITNESS FOR A PARTICULAR PURPOSE; MERCHANTABILITY; MERCHANTABLE QUALITY OR 
NONINFRINGEMENT OF THIRD PARTY RIGHTS. Some states or jurisdictions do not allow 
the exclusion of implied warranties; so the above limitations may not apply to you. 

LIMIT OF LIABILITY: IN NO EVENT WILL ADOBE BE LIABLE TO YOU FOR ANY LOSS OF USE; 
INTERRUPTION OF BUSINESS; OR ANY DIRECT; INDIRECT; SPECIAL; INCIDENTAL; OR CONSEQUENTIAL 
DAMAGES OF ANY KIND (INCLUDING LOST PROFITS) REGARDLESS OF THE FORM OF ACTION WHETHER IN 
CONTRACT; TORT (INCLUDING NEGLIGENCE); STRICT PRODUCT LIABILITY
 OR OTHERWISE; EVEN IF ADOBE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 
Some states or jurisdictions do not allow the exclusion or limitation of incidental 
or consequential damages; so the above limitation or exclusion may not apply to you. 

 

 <http://advisories.adobe.com/db/40048/3965749/1.gif> 



3.


Advisory Name : Arbitrary application execution from a malicious PDF document   

Release Date: June 27th , 2005 

Product : Adobe Reader 7.0 and 7.0.1, Adobe Acrobat 7.0 and 7.0.1 

Platform : Macintosh 

Vulnerability Identifier : CAN-2005-1623 

Overview :  A vulnerability within Adobe Reader/Acrobat has been identified.  
Under certain circumstances, it is possible to launch arbitrary executables. 

Adobe has solutions available that can rectify these issues.  Please refer 
to the 'Recommendations' section for further information. 

Effect : I f exploited it may be possible to launch executables on an 
end-user system without the end user's knowledge. 

Details : The vulnerability is within Adobe Reader/Acrobat.  If malicious 
JavaScript is embedded in PDF files, it is possible to launch arbitrary 
executables on a local machine. 

However the impact is minimized due to the fact that the applications can 
be executed only if the complete application names and paths are known in 
advance by the attacker. 

Recommendations :  

.         If you use Adobe Reader 7.0 or 7.0.1, download the update to Adobe 
Reader 7.0.2 at www.adobe.com/support/downloads/main.html 

.         If you use Adobe Acrobat 7.0 or 7.0.1, download the update to Adobe 
Acrobat 7.0.2 at www.adobe.com/support/downloads/main.html 

Caveats : None 

Vulnerability Identifier Cross-Reference : CVE ID: CAN-2005-1623 

Acknowledgment: Adobe would like to thank Aandi Inston, for reporting the issue. 

Adobe Disclaimer 

License agreement 

By using software of Adobe Systems Incorporated or its subsidiaries ("Adobe"); 
you agree to the following terms and conditions. If you do not agree with such 
terms and conditions; do not use the software. The terms of an end user license 
agreement accompanying a particular software file upon installation or download 
of the software shall supersede the terms presented below. 

The export and re-export of Adobe software products are controlled by the United 
States Export Administration Regulations and such software may not be exported 
or re-exported to Cuba; Iran; Iraq; Libya; North Korea; Sudan; or Syria or any 
country to which the United States embargoes goods. In addition; Adobe software 
may not be distributed to persons on the Table of Denial Orders; the Entity List; 
or the List of Specially Designated Nationals. 

By downloading or using an Adobe software product you are certifying that you 
are not a national of Cuba; Iran; Iraq; Libya; North Korea; Sudan; or Syria 
or any country to which the United States embargoes goods and that you are not 
a person on the Table of Denial Orders; the Entity List; or the List of 
Specially Designated Nationals. 

If the software is designed for use with an application software product 
(the "Host Application") published by Adobe; Adobe grants you a non-exclusive 
license to use such software with the Host Application only; provided you 
possess a valid license from Adobe for the Host Application. Except as set 
forth below; such software is licensed to you subject to the terms and conditions 
of the End User License Agreement from Adobe governing your use of the Host Application. 

DISCLAIMER OF WARRANTIES: YOU AGREE THAT ADOBE HAS MADE NO EXPRESS WARRANTIES TO 
YOU REGARDING THE SOFTWARE AND THAT THE SOFTWARE IS BEING PROVIDED TO YOU "AS IS" 
WITHOUT WARRANTY OF ANY KIND. ADOBE DISCLAIMS ALL WARRANTIES WITH REGARD TO THE SOFTWARE; 
EXPRESS OR IMPLIED; INCLUDING; WITHOUT LIMITATION; ANY IMPLIED WARRANTIES OF FITNESS 
FOR A PARTICULAR PURPOSE; MERCHANTABILITY; MERCHANTABLE QUALITY OR NONINFRINGEMENT 
OF THIRD PARTY RIGHTS. Some states or jurisdictions do not allow the exclusion of 
implied warranties; so the above limitations may not apply to you. 

LIMIT OF LIABILITY: IN NO EVENT WILL ADOBE BE LIABLE TO YOU FOR ANY LOSS OF USE; 
INTERRUPTION OF BUSINESS; OR ANY DIRECT; INDIRECT; SPECIAL; INCIDENTAL; OR 
CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST PROFITS) REGARDLESS OF THE 
FORM OF ACTION WHETHER IN CONTRACT; TORT (INCLUDING NEGLIGENCE); STRICT PRODUCT 
LIABILITY OR OTHERWISE; EVEN IF ADOBE HAS BEEN ADVISED OF THE POSSIBILITY OF 
SUCH DAMAGES. Some states or jurisdictions do not allow the exclusion or 
limitation of incidental or consequential damages; so the above limitation or 
exclusion may not apply to you. 

 <http://advisories.adobe.com/db/40047/3965749/1.gif> 

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Adobe for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQsFOlopao72zK539AQFCkwQAhqF8q5f7YdiKz3m4iYJzUi7ua1r89oja
Kak9ckh2Y7CbdryfdeElcMk3dLxApPq+ACmhv4ILNPV1gd/+EDvu8LIc5jNTSX5c
267qScEhnLj/5FEw7vBGqC2lLYL9r4m1LAYDz3vTYUwBKDtsqQMd/IOyFzmoI/Ba
PzyAAhFqqYc=
=1/vl
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________