-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: Security Advisory 2011-0026 Title: Adobe Acrobat and Reader U3D Memory Corruption Vulnerability [1] Version History: 07/12/2011 Initial Publication. 23/01/2012 Updated with fixes [3][4] Summary ======= Adobe Acrobat and Reader are prone to a remote memory corruption vulnerability. CVE-2011-2462(Candidate) Severity Level [2] CVSS2 Base 6.8 Remote Yes Local No Credibility Vendor Confirmed Ease Exploit Available Authentication Not Required Potential Impact ================ Successful exploits will allow attackers to compromise the affected application and possibly the underlying computer. Failed exploit attempts will likely cause denial-of-service conditions. 1. An attacker creates a malicious PDF file to leverage this issue and to perform some action on their behalf. 2. The attacker distributes the file and entices a victim into opening it with an affected application. 3. When the file is opened the issue is triggered and the attacker-supplied code is executed. Vulenrable systems ================== Amongst others; Adobe Acrobat 9 to 9.4.5 Adobe Acrobat 10.0 to 10.1.1 Adobe Acrobat Professional 10.0 to 10.1.1 Adobe Acrobat Professional 9.1 to 9.4.5 Adobe Acrobat Standard 9.1 to 9.4.5 Adobe Reader 9 Adobe Reader 10.0 to 10.1.1 Adobe Reader 9.1 to 9.1.3 Adobe Reader 9.2 Adobe Reader 9.3 to 9.3.4 Adobe Reader 9.4 to 9.4.6 What can you do ? ================= Solutions: As a workaround the vendor recommends users to view PDF files using protected mode included in Adobe Reader X and Adobe Acrobat X. Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information please mail us back. [3] Adobe has releaed updates to address critical vulnerabilities in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. Adobe has also released Adobe Reader 9.5. [4] Work-arounds: Deploy network intrusion detection systems to monitor network traffic for malicious activity. Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit. Do not accept or execute files from untrusted or unknown sources. To limit exposure to these and other latent vulnerabilities never handle files that originate from unfamiliar or untrusted sources. Do not follow links provided by unknown or untrusted sources. To reduce the likelihood of attacks never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources. Implement multiple redundant layers of security. As an added precaution deploy memory-protection schemes (such as nonexecutable stack/heap configuration and randomly mapped memory segments). This may complicate exploits of memory-corruption vulnerabilities. Run all software as a nonprivileged user with minimal access rights. To reduce the impact of latent vulnerabilities run applications with the minimal amount of privileges required for functionality. What to tell your users ? ========================= Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] http://www.adobe.com/support/security/advisories/apsa11-04.html [2] CVSS Details [4]http://www.adobe.com/support/security/bulletins/apsb12-01.html CVSS Version 2 Scores CVSS2 Base 6.8 CVSS2 Temporal 6.1 CVSS2 Base Vector AV:N/AC:M/Au:N/C:P/I:P/A:P CVSS2 Temporal VectorE:F/RL:W/RC:C More information about CVSS is available at http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP; KeyID; 0; x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPHYPpOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4NeBQ//Z28yr54+ 44p12gOdV0JXLHyi7XAHXGBSDkvde5f5SlZ7MZcU7S96Y9RaAHrFReuuAMbJPT/X lwnkIZ+fGFHacMHTHqZ+2tmsFJvkQgXuZXIKb7Ln6yLhWd2dy95p7bzIh+0YHx4T 4okd6gPH5jK85cEdv+tUdlUPMVmtBnkedr7UPlOjznecJlgSF6aPmSM7Qg1dBhPd Acu2HmJt2a/u6seIxYfDI5JrQF2af+w3lkOMBhUBOqwR+u7enGqjTx1NFgbGHwX2 URQ4kk0SNjKCZgdQE94wFoh6h0F+bUtL22UHs8EsUwNQtZ2voJnHrj/m71M5rkkv aQRiNvHS3oP7iURRS4Lp4vhN1yypBrYsU2368d7D91YCvl4K0P1ngToIBLmimBI4 1ntT0OPGxdpblSlqSdoQRgZaLpVG9lDRuD7KBN0qrwPkI8D95UycyZT6p0A8hDfW WDvWRwxMUkHoZr2iIBpNzR2YqC39OLUYz4nDZpyPr5pC2Fz7AzjuV8C9UbU2y1+F CMTsbmhuL0XRsLTjNznUMXLNkvBNXYB0DQKeyIlG9cnmC2oamSLOfAYDPcPkD2Nf j+KMfyRvrNJ+Nmbw/LuDVkX2wLVSgPhYbkMNl9m4tV6gtY8ipsSOiT4GBEZ8fAIG smMTgdf6yUlqcHKp/rAEppapDsVr38A+pzU= =BqQS -----END PGP SIGNATURE-----