Adobe Reader EScript.api arbitrary code execution

2008-02-12T00:00:00
ID VU:140129
Type cert
Reporter CERT
Modified 2008-05-09T00:00:00

Description

Overview

The Adobe Acrobat Reader contains a vulnerability that may allow an attacker to execute arbitrary code.

Description

Adobe Acrobat Reader is software designed to view Portable Document Format (PDF) files. Adobe also distributes the Adobe Acrobat Plug-In to allow users to view PDF files inside of a web browser.

Per iDefense Advisory 02.08.08:

_Remote exploitation of an insecure method exposed by the JavaScript library in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code as the current user.

Adobe Reader and Acrobat implement a version of JavaScript in the EScript.api plug-in which is based on the reference implementation used in Mozilla products. One of the methods exposed allows direct control over low level features of the object, which in turn allows execution of arbitrary code._


Impact

By convincing a user to open a malicious PDF file, a remote, unauthenticated attacker may be able to execute arbitrary code. This can happen in several ways, such as opening an email attachment or viewing a web page.


Solution

Update