INFORMATION BULLETIN

T-020: Security Update for Adobe Reader 8 and Acrobat 8

[apsb08-19]

November 6, 2008 14:00 GMT


PROBLEM:	Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
PLATFORM:	Adobe Reader 8.1.2 and earlier versions Adobe Acrobat Professional, 3D and Standard 8.1.2 and earlier versions
DAMAGE:	DoS and could potentiallly allow an attacker to take control of the affected system.
SOLUTION:	Upgrade to the appropriate version.

VULNERABILITY ASSESSMENT:	The risk is MEDIUM. A remote intruder who can get a user to open a malicious pdf file could run code as the logged-in user.

CVSS 2 BASE SCORE: TEMPORAL SCORE: VECTOR:	5.1 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)

LINKS:
DOE-CIRC BULLETIN:	http://doecirc.energy.gov/ciac/bulletins/t-020.shtml
ORIGINAL BULLETIN:	http://www.adobe.com/support/security/bulletins/apsb08-19.html
CVE:	CVE-2008-2992 CVE-2008-2549 CVE-2008-4812 CVE-2008-4813 CVE-2008-4817 CVE-2008-4816 CVE-2008-4814 CVE-2008-4815

[***** Start Adobe Security Advisory: apsb08-19 *****]

Security Update available for Adobe Reader 8 and Acrobat 8

Release date: November 4, 2008

Vulnerability identifier: APSB08-19

CVE number: CVE-2008-2992, CVE-2008-2549, CVE-2008-4812, CVE-2008-4813, CVE-2008-4817, CVE-2008-4816, CVE-2008-4814, CVE-2008-4815

Platform: All Platforms

Summary

Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe Reader 9 and Acrobat 9 are not vulnerable to these issues. Adobe recommends users of Acrobat 8 and Adobe Reader 8 who can’t update to Adobe Reader 9 install the 8.1.3 update to protect themselves from potential vulnerabilities.

Affected software versions

Adobe Reader 8.1.2 and earlier versions
Adobe Acrobat Professional, 3D and Standard 8.1.2 and earlier versions

Solution

Adobe Reader

Adobe recommends Adobe Reader users update to Adobe Reader 9, available here:
http://www.adobe.com/go/getreader

Users with Adobe Reader 8.0 through 8.1.2, who can’t update to Adobe Reader 9, should update to Adobe Reader 8.1.3:
http://www.adobe.com/go/getreader

Acrobat 8

Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.3, available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Adobe recommends Acrobat 8 users on Macintosh update to Acrobat 8.1.3, available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

Adobe recommends Acrobat 3D Version 8 users on Windows update to Acrobat 3D Version 8.1.3, available here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows

Severity rating

Adobe categorizes this as a critical issue and recommends that users apply the update for their product installations.

Details

Adobe recommends users of Acrobat and Adobe Reader update their product installations using the instructions above to protect themselves from potential vulnerabilities.

This update resolves multiple input validation errors that could potentially lead to code execution. (CVE-2008-4812)

This update resolves multiple input validation issues that could potentially lead to remote code execution. (CVE-2008-4813)

This update resolves an input validation issue in a JavaScript method that could potentially lead to remote code execution. (CVE-2008-2992)

An input validation issue in the Download Manager used by Adobe Reader that could potentially lead to remote code execution during the download process has been resolved. (CVE-2008-4817)

A Windows-only issue in the Download Manager used by Adobe Reader that could lead to a user’s Internet Security options being changed during the download process has been resolved. (CVE-2008-4816)

This update resolves an input validation issue in a JavaScript method that could potentially lead to remote code execution. (CVE-2008-4814)

This update resolves a potential Unix-only privilege escalation issue (CVE-2008-4815)

This update resolves a publicly-published denial of service issue. (CVE-2008-2549)

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers' security:

Greg MacManus of iDefense Labs (CVE-2008-4812)
Peter Vreugdenhil reported through TippingPoint's Zero Day Initiative, Dyon Balding of Secunia Research, Will Dormann of CERT/CC, Damian Frizza of Core Security Technologies, and Greg MacManus of iSIGHT Partners Labs (CVE-2008-2992)
Peter Vreugdenhil reported through iDefense (CVE-2008-4817)
An anonymous contributor reported through iDefense (CVE-2008-4812)
Javier Vicente Vallejo reported through TippingPoint's Zero Day Initiative (CVE-2008-4813)
Peter Vregdenhil reported through TippingPoint's Zero Day Initiative (CVE-2008-4813)
Thomas Garnier of SkyRecon Systems (CVE-2008-4814)
Josh Bressers of Red Hat (CVE-2008-4815)



[***** End Adobe Security Advisory: apsb08-19 *****]

DOE-CIRC wishes to acknowledge the contributions of Adobe for the information contained in this bulletin.

DOE-CIRC can be contacted at:

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/