Home

Adobe Acrobat and Acrobat Reader Remote Code Execution

Notification Type:	IBM Internet Security Systems Protection Alert
Notification Date:	December 15, 2009
Notification Version:	1.6

Name:	Adobe Acrobat and Acrobat Reader Remote Code Execution
Public disclosure/ In the wild date:	December 11, 2009
CVE:	CVE-2009-4324
Description:	A vulnerability in Adobe Acrobat and Acrobat Reader can result in remote code execution. This vulnerability was discovered being exploited in the wild on Dec. 11, 2009, and publicly acknowledged by Adobe on Dec. 14, 2009. New in-the-wild PDF variants were discovered by ISS Managed Security Services on Dec. 18, 2009, indicating that this attack is being picked up by more attackers using more traditional obfuscation and attack techniques.

ISS Coverage

Product	Content Version
Network Sensor 7.0 Proventia A Proventia IPS (G/GX) Server Sensor 7.0 Proventia Multifunction Appliance Proventia Server (Linux)	29.121
Proventia Server (Windows) Proventia Desktop	2461

Propagation Techniques

ISS Protection

Available

remote exploit (in-the-wild samples)

PoCs (public exploit code, not current in-the-wild samples)

Malware (Proventia-M)

JavaScript_NOOP_Sled***
PDF_Stream_Hiding
PDF_JavaScript_Detected*

PDF_Encoded_JavaScript_Tag**

Mal/Behav-027

Mar 24, 2006
Dec 17, 2009
Feb 13, 2008

Apr 14, 2009

* This signature is not blocked by default, because it blocks any PDF containing JavasScript. However, this signature does detect exploits that are currently in the wild and can be used if your organization wants a lock-down mode to block current exploits. Additional non-blocking signatures that have detected in-the-wild samples are:
PDF_JavaScript_Hex
PDF_Obfuscated_Stream
PDF_Encoded_Filter_Tag

** This signature is blocked in the default policy.

*** This signature blocks malicious web pages hosting a new PDF variant discovered by ISS Managed Security Services on Dec. 18, 2009.

Detailed Description

Business Impact:	This vulnerability could result in remote code execution if a victim opens a specially-crafted PDF (portable document format) file. Adobe Acrobat and Acrobat Reader are vulnerable and, at the time of publication, had no patch available. Links to these malicious documents can easily be sent through spam or through links on seemingly non-malicious Web sites. Active exploitation led to the discovery of this vulnerability.
*CVSS:	Base Score:		9.3
		Access Vector:	Network
		Access Complexity:	Medium
		Authentication:	None
		Confidentiality Impact:	Complete
		Integrity Impact:	Complete
		Availability Impact:	Complete

	Adjusted Temporal Score:		8.8
		Exploitability:	High
		Remediation Level:	Workaround
		Report Confidence:	Confirmed
Affected Products:	For a full list of affected versions, see references below.
Technical Description:	Adobe Acrobat and Reader could allow a remote attacker to execute arbitrary code on the system, caused by an unspecified memory corruption error. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to execute arbitrary code with elevated privileges.
Remediation:	At the time of publication, patches were not available. Customers can deploy security products to block exploits.

References

Adobe:	http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html http://www.adobe.com/support/security/advisories/apsa09-07.html
XFDB:	http://xforce.iss.net/xforce/xfdb/54747
SANS:	http://isc.sans.org/diary.html?storyid=7984 (relationship to attacks reported by Google is in dispute as of Jan. 15, 2010)
FrequencyX:	http://blogs.iss.net/archive/attacksreportedbygoogle.html

Revision History

1.0	Initial publication.
1.1	Clarified wording for initial signature coverage.
1.2	Added link to Adobe bulletin.
1.3	Added PoC coverage.
1.4	Added new signature coverage.
1.5	New variants were discovered, caught through the generic Proventia obfuscation signatures used to protect IBM ISS Managed Security Services customers.
1.6	Added additional sigantures that triggered on samples found in-the-wild and link to SANS post and FrequencyX blog post.

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Security Systems

IBM Security Systems include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure, empowering clients to innovate and operate their businesses on the most secure infrastructure platforms. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. For more information on how to address today's biggest risks, please visit us at ibm.com/security.