The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Adobe Acrobat/Reader: execution of JavaScript code

Synthesis of the vulnerability 

Four vulnerabilities affect the Adobe Acrobat/Reader plugin.
Impacted products: Acrobat, Apache httpd, Firefox, SeaMonkey, NLD, openSUSE, Solaris, RHEL, Slackware, SLES, TurboLinux.
Severity of this bulletin: 3/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 03/01/2007.
Revision date: 04/01/2007.
Références of this threat: 102847, 6526702, APSB07-01, BID-21858, CERTA-2007-AVI-003, CERTA-2007-AVI-024, CERTA-2009-AVI-445, CVE-2007-0044, CVE-2007-0045, CVE-2007-0046, CVE-2007-0047, CVE-2007-0048, MFSA2007-02, RHSA-2007:0017-01, RHSA-2007:0021-01, SSA:2007-066-03, SSA:2007-066-05, SUSE-SA:2007:011, TLSA-2007-12, TLSA-2007-13, TLSA-2007-6, VIGILANCE-VUL-6429, VU#698924, VU#815960.

Description of the vulnerability 

Four vulnerabilities affect the Adobe Acrobat/Reader plugin.

When victim clicks on a link like:
  http://www.example.com/doc.pdf#FDF=http://target/
  http://www.example.com/doc.pdf#XML=http://target/
  http://www.example.com/doc.pdf#XFDF=http://target/
the plugin sends a web query to http://target/. This can be used for example to exploit a Cross Site Request Forgery attack. [severity:3/4; CVE-2007-0044, CVE-2007-0047]

With Firefox, when victim clicks on a link like:
  http://www.example.com/doc.pdf#FDF=javascript:code
  http://www.example.com/doc.pdf#XML=javascript:code
  http://www.example.com/doc.pdf#XFDF=javascript:code
the plugin executes JavaScript code even if the PDF document does not contain any. This code can access to information of session (cookie, password, etc.) of www.example.com website (or of another website if a redirection is used). [severity:3/4; CERTA-2007-AVI-003, CVE-2007-0045, VU#815960]

With Firefox, when victim clicks on a link like:
  http://www.example.com/doc.pdf#FDF=javascript:document.write('jjjjj...');
  http://www.example.com/doc.pdf#XML=javascript:document.write('jjjjj...');
  http://www.example.com/doc.pdf#XFDF=javascript:document.write('jjjjj...');
the plugin frees twice a memory area, which may lead to code execution. [severity:3/4; CVE-2007-0046]

With Internet Explorer, when victim clicks on a link like:
  http://www.example.com/doc.pdf###...
a denial of service occurs. [severity:3/4; CERTA-2007-AVI-024, CERTA-2009-AVI-445, CVE-2007-0048]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat announce impacts software or systems such as Acrobat, Apache httpd, Firefox, SeaMonkey, NLD, openSUSE, Solaris, RHEL, Slackware, SLES, TurboLinux.

Our Vigil@nce team determined that the severity of this computer vulnerability is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 4 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a specialist ability can exploit this cybersecurity alert.

Solutions for this threat 

Adobe Acrobat/Reader: version 8.0.
Version 8 is corrected.

Adobe Acrobat/Reader: version 7.0.9.
Version 7.0.9 is corrected:
  http://www.adobe.com/downloads/updates/

Adobe Acrobat/Reader: version 6.0.6.
Version 6.0.6 is corrected:
  http://www.adobe.com/downloads/

Adobe Acrobat/Reader: workarounds.
A workaround is to deactivate Javascript in the Edition - Preferences menu. This only protects against vulnerabilities 2 and 3.
Another workaround is to deactivate Adobe plugin in web browser. PDF files are then saved on the harddrive. For example:
  Firefox - Tools - Options - Content - Manage - change PDF action to "Save to disk"

Apache httpd: workaround for vulnerabilities of Adobe Acrobat/Reader.
If the web site hosts PDF documents, they can be used to exploit the VIGILANCE-VUL-6429 vulnerability against Adobe Acrobat/Reader.
To protect customers of the website, the Content-Disposition of PDF documents can be changed:
  <IfModule mod_headers.c>
    <FilesMatch "\.pdf$">
       Header append Content-disposition "attachment;"
    </FilesMatch>
  </IfModule>
Thus, PDF documents are not opened by Adobe plugin, but saved on user's harddrive.
Other workarounds are presented in information sources.

Firefox: version 1.5.0.10.
Version 1.5.0.10 is corrected:
  http://www.getfirefox.com/

Firefox: version 2.0.0.2.
Version 2.0.0.2 is corrected:
  http://www.getfirefox.com/

SeaMonkey: version 1.0.8.
Version 1.0.8 is corrected:
  http://www.mozilla.org/projects/seamonkey/

RHEL 3: new acroread packages.
New packages are available:
Red Hat Enterprise Linux version 3 Extras: acroread-7.0.9-1.1.0.EL3

RHEL Extras: new acroread packages.
New packages are available:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
73c315ade9b10b3a242775b392bfddc6 acroread-7.0.9-1.2.0.EL4.i386.rpm
d58a0ec78befce07f559e621087106bf acroread-plugin-7.0.9-1.2.0.EL4.i386.rpm
x86_64:
73c315ade9b10b3a242775b392bfddc6 acroread-7.0.9-1.2.0.EL4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
73c315ade9b10b3a242775b392bfddc6 acroread-7.0.9-1.2.0.EL4.i386.rpm
d58a0ec78befce07f559e621087106bf acroread-plugin-7.0.9-1.2.0.EL4.i386.rpm
x86_64:
73c315ade9b10b3a242775b392bfddc6 acroread-7.0.9-1.2.0.EL4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
73c315ade9b10b3a242775b392bfddc6 acroread-7.0.9-1.2.0.EL4.i386.rpm
d58a0ec78befce07f559e621087106bf acroread-plugin-7.0.9-1.2.0.EL4.i386.rpm
x86_64:
73c315ade9b10b3a242775b392bfddc6 acroread-7.0.9-1.2.0.EL4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
73c315ade9b10b3a242775b392bfddc6 acroread-7.0.9-1.2.0.EL4.i386.rpm
d58a0ec78befce07f559e621087106bf acroread-plugin-7.0.9-1.2.0.EL4.i386.rpm
x86_64:
73c315ade9b10b3a242775b392bfddc6 acroread-7.0.9-1.2.0.EL4.i386.rpm

Slackware: new mozilla-firefox packages.
New packages are available:
Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/mozilla-firefox-1.5.0.10-i686-1.tgz
Slackware 11.0:
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/mozilla-firefox-1.5.0.10-i686-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/extra/mozilla-firefox-2.0.0.2/mozilla-firefox-2.0.0.2-i686-1.tgz

Slackware: new seamonkey packages.
New packages are available:
Slackware 11.0:
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/seamonkey-1.0.8-i486-1_slack11.0.tgz

Solaris: workaround for Adobe Reader.
A workaround is to deactivate Adobe Reader plugin.

SUSE: new acroread packages.
New packages are available:
   openSUSE 10.2:
   ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/acroread-7.0.9-2.1.i586.rpm
         c37b991bf98afafafe7cef049b19c432
   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/acroread-7.0.9-1.2.i586.rpm
         1c2d6f4028f856b208c7a63a1a085ae2
   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/acroread-7.0.9-2.1.i586.rpm
         065c5b67a4194558d70f23671f0800db
   SUSE LINUX 9.3:
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/acroread-7.0.9-2.1.i586.rpm
         da0c72bc6379fa546f581d5b73eab620

Turbolinux: new AdobeReader packages.
New packages are available:
Turbolinux FUJI : AdobeReader_enu-7.0.9-1TL1

Turbolinux: new firefox packages.
New packages are available:
Turbolinux FUJI : firefox-1.5.0.10-1

Turbolinux: new seamonkey packages.
New packages are available:
Turbolinux 10 Server x64 Edition : seamonkey-1.0.8-1
Turbolinux 10 Server : seamonkey-1.0.8-1
Turbolinux 10 Desktop : seamonkey-1.0.8-1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a networks vulnerabilities patch. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.