Adobe Acrobat does not adequately validate Acrobat JavaScript

Overview

Adobe Acrobat contains a vulnerability in its JavaScript parsing engine that could allow an attacker to place arbitrary files on the local file system.

Description

Different versions of Adobe Acrobat software can create, modify, and read Portable Document Format (PDF) files. Acrobat JavaScript implements PDF-specific objects, methods, and properties and provides functionality similar to that of HTML client JavaScript. More information about Acrobat JavaScript is available from Acrobat 5 JavaScript Training site and in the Acrobat JavaScript Object Specification.

A vulnerability in the way Acrobat 5 validates JavaScript in PDF files could allow arbitrary files to be written to any location on the local file system that is writeable by the user running Acrobat. From the Adobe Acrobat 5.0.5 Security, Accessibility, and Forms patch:

Due to a vulnerability in the JavaScript parsing engine, a malicious PDF document can instruct Acrobat to write code into the user’s Plug-ins folder. Any file in the user’s Plug-ins folder that is developed to the Acrobat plug-in specification will automatically install and run when a user launches Acrobat.
According to Adobe, the full version of Acrobat 5 and Acrobat Approval 5 for the Windows platform are vulnerable. Acrobat 6 and all versions of Acrobat Reader are not vulnerable. Acrobat and Acrobat Approval for Macintosh and Acrobat for UNIX are not vulnerable.

---

Impact

An attacker could cause arbitrary files to be written to the local file system within the scope of the users’ permissions.
A virus (W32.Yourde) that exploits this vulnerability has been discovered. This virus does not destroy data. More detailed information is available in write-ups from Symantec and McAfee.

---

Solution

Apply Patch or Upgrade

Install the Adobe Acrobat 5.0.5 Security, Accessibility, and Forms patch or upgrade to Acrobat 6 or later.

---

Disable JavaScript

Acrobat JavaScript can be disabled in the General preferences dialog (Edit > Preferences > General > JavaScript).

Restrict Access to Plug-ins Directory

Use NTFS file permissions to prevent users from writing to the Plug-ins directory (typically C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Plug_ins). This will protect against the W32.Yourde virus, but it will not prevent malicious JavaScript from writing to other locations.

Remove JavaScript Plug-in

Remove the JavaScript plug-in (EScript.api) from the Plug-ins directory. This will effectively disable Acrobat JavaScript and may cause other unexpected results.

Maintain Anti-Virus Software

As a general best practice, maintain updated anti-virus software. Links to anti-virus vendors and other information are available on the Computer Virus Resources page.

---

Vendor Information

184820

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Adobe Systems Incorporated __ Affected

Updated: May 13, 2003

Status

Affected

Vendor Statement

Please see the Adobe Acrobat 5.0.5 Security, Accessibility, and Forms patch.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23184820 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.adobe.com/support/downloads/detail.jsp?ftpID=2121&gt;
• <http://securityresponse.symantec.com/avcenter/venc/data/w32.yourde.html&gt;
• <http://vil.nai.com/vil/content/v_100269.htm&gt;
• <http://partners.adobe.com/asn/developer/training/acrobat/javascript/main.html&gt;
• <http://partners.adobe.com/asn/acrobat/docs.jsp&gt;
• <http://partners.adobe.com/asn/developer/pdfs/tn/5186AcroJS.pdf&gt;

Acknowledgements

This vulnerability was reported by John Landwehr of Adobe Systems Inc.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2003-0284
Severity Metric:	4.65 Date Public: