Adobe Reader Javascript API getAnnots method vulnerability

2009-05-29T00:00:00
ID SAINT:FA0AC5B49967884BC44994F190A2AB12
Type saint
Reporter SAINT Corporation
Modified 2009-05-29T00:00:00

Description

Added: 05/29/2009
CVE: CVE-2009-1492
BID: 34736
OSVDB: 54130

Background

Adobe Reader is free software for viewing PDF documents.

Problem

A vulnerability in the Javascript API allows command execution when a user opens a PDF file which calls the **getAnnots** method with specially crafted arguments.

Resolution

Apply one of the patches referenced in APSB09-06.

References

<http://www.kb.cert.org/vuls/id/970180>

Limitations

Exploit works on Adobe Reader 8.1.3 and 9.1 and requires a user to open the exploit file in Adobe Reader.

Due to the nature of the vulnerability, the success of the exploit depends on the state of the target system's memory.

Platforms

Linux