Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

New 0-day Vulnerability in Adobe Acrobat Reader

View all posts > 

New 0-day Vulnerability in Adobe Acrobat Reader

Posted: 08 Nov 2010 01:16 PM | Tamas Rudnai | 1 comment(s)


A new, potentially critical vulnerability in Adobe Acrobat Reader has come to our attention at Websense Security Labs. Quick analysis shows that malicious PDF documents invoke a function call to Doc.printSeps() to take advantage of the vulnerability. Proof of concept code plants shell code in memory using heap spraying to exploit the vulnerability.

 

Websense Security Labs is monitoring the situation, and we will update this blog post as we discover more. It is possible that malicious hackers could set up rigged Web sites or insert malicious code into legitimate, compromised sites to infect visitors. The vulnerability could be used for remote code execution, but we are still investigating these claims. Websense customers are protected by our ACE real-time analytics.

 

Adobe has published advice on how to avoid this vulnerability by blacklisting the vulnerable function call. The issue was unknown to Adobe PSIRT Team when Websense Security Labs informed them about it. Respecting their wish, we only disclosed the issue after their announcement. In the meantime, VUPEN also disclosed the issue.

 

 

In our test, Adobe Acrobat Reader crashed when the proof of concept document was loaded.

 

We will update this blog post with any interesting developments.

 

Update 09-Nov-2010:

The vulnerability is now registered as CVE-2010-4091 on mitre.org. Also Adobe mentions the issue in the security advisory as APSA10-05. There is still no proof if this vulnerability was exploited in the wild.

 



Comments

exploit dev said on Thursday, November 11, 2010 4:31 PM

Days ago , just published the pdf on full disclosure mailing list, I have start a brief analysis about this issue. Some screenshots are available at extraexploit.blogspot.com/.../full-disclosure-xplpdf-adober-reader-94.html. This issue seem very difficult to exploit. Specifically, in according with other independent researchers you have to play with allocatin/freeing heap chain before exploiting. At least it what I have understand during my analysis and reading tweets about it. Any suggestion are welcome.


Leave a Comment

(required)  

Email address: (required)