iDefense Security Advisory 01.12.10
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 12, 2010

I. BACKGROUND

Adobe Reader and Acrobat are Portable Document Format (PDF) reader and
processors. For more information, please visit following pages:

http://www.adobe.com/products/reader/
http://www.adobe.com/products/acrobat/

II. DESCRIPTION

Remote exploitation of a memory corruption vulnerability in multiple
versions of Adobe Systems Inc.'s Reader and Acrobat PDF reader and
processor could allow an attacker to execute arbitrary code with the
privileges of the current user.

The vulnerability occurs when processing the Jp2c stream of a JpxDecode
encoded data stream within a PDF file. During the processing of a
JPC_MS_RGN marker, an integer sign extension may cause a bounds check
to be bypassed. This results in an exploitable memory corruption
vulnerability.

III. ANALYSIS

Exploitation of this vulnerability allows an attacker to execute
arbitrary code with the privileges of the user opening the file. The
attacker will have to create a malicious PDF file and convince the
victim to open it. This can be accomplished by embedding the PDF file
into an IFrame inside of a Web page, which will result in automatic
exploitation once the page is viewed. The file could also be e-mailed
as an attachment or placed on a file share. In these cases, a user
would have to manually open the file to trigger exploitation. If
preview is enabled in Windows Explorer, Acrobat will try to generate a
preview for PDF files when a folder containing PDF files is accessed,
thus triggering the exploitation.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in latest
version of Adobe Reader, at the time of testing, version 9.1.0.
Previous versions may also be affected.

Adobe has stated that all 9.2 and below versions, as well as all 8.1.7
and below versions are vulnerable.

V. WORKAROUND

None of the following workarounds will prevent exploitation, but they
can reduce potential attack vectors and make exploitation more
difficult.

Prevent PDF documents from being opened automatically by the Web browser
Disable JavaScript
Disable PDFShell extension by removing or renaming the Acrord32info.exe file

VI. VENDOR RESPONSE

Adobe has released a patch which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.

http://www.adobe.com/support/security/bulletins/apsb10-02.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2009-3955 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/06/2009  Initial Contact
08/06/2009  Initial Response
09/16/2009  Vendor requested POC. iDefense sent POC.
09/17/2009  Vendor response.
01/12/2010  Coordinated public disclosure.

IX. CREDIT

This vulnerability was reported to iDefense by   Code Audit Labs
http://www.vulnhunt.com.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2010 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.