National Cyber Alert System
Technical Cyber Security Alert TA08-043A

Adobe Reader and Acrobat Vulnerabilities

Original release date: February 12, 2008
Last revised: –
Source: US-CERT

Systems Affected

• Adobe Reader version 8.1.1 and earlier
• Adobe Acrobat Professional, 3D, and Standard versions 8.1.1 and earlier

Overview

Adobe has released Security advisory APSA08-01 to address multiple vulnerabilities affecting Adobe Reader and Acrobat. The most severe of these vulnerabilities could allow a remote attacker to execute arbitrary code.

I. Description

Adobe Security advisory APSA08-01 addresses a number of vulnerabilities affecting the Adobe Acrobat family of products, including Adobe Reader. Acrobat versions 8.1.1 and earlier are affected. Further details are available in the US-CERT Vulnerability Notes Database.

An attacker could exploit these vulnerabilities by convincing a user to load a specially crafted Adobe Portable Document Format (PDF) file. Acrobat integrates with popular web browsers, and visiting a web site is usually sufficient to cause Acrobat to load PDF content.

At least one of these vulnerabilities is being actively exploited. The SANS Internet Storm Center Handler’s Diary contains more information.

II. Impact

The impacts of these vulnerabilities vary. The most severe of these vulnerabilities allows a remote attacker to execute arbitrary code.

III. Solution

Upgrade

Upgrade Adobe Reader or Acrobat to version 8.1.2 according to the information in Adobe Security advisory APSA08-01.

Disable web browser display for PDF documents

Preventing PDF documents from opening inside a web browser may mitigate this vulnerability. Applying the following workaround in conjunction with upgrading may prevent similar vulnerabilities from being automatically exploited.

To prevent PDF documents from automatically being opened in a web browser with Acrobat or Reader:

1. Open Adobe Acrobat or Adobe Reader.
2. Open the Edit menu.
3. Choose the Preferences option.
4. Choose the Internet section.
5. De-select the “Display PDF in browser” check box.

Disable automatic opening of PDF documents in Microsoft Internet Explorer

To disable automatic opening of PDF files in Microsoft Internet Explorer (IE), a second step is required. To configure IE to prompt before opening a PDF file, disable the “Display PDF in browser” feature (as described above) and then make the following changes to the Windows registry:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7]
“EditFlags”=hex:00,00,00,00

Disable JavaScript in Adobe Reader and Acrobat

Disabling JavaScript in Adobe Reader and Acrobat may prevent this vulnerability from being exploited. In Acrobat Reader, JavaScript can be disabled in the General preferences dialog (Edit –> Preferences –> JavaScript, de-select Enable Acrobat JavaScript).

IV. References

• US-CERT Vulnerability Notes for Adobe Security advisory APSA08-01 – <http://www.kb.cert.org/vuls/byid?searchview&query=APSA08-01>
• Securing Your Web Browser – <http://www.us-cert.gov/reading_room/securing_browser/>
• Adobe Security Advisory APSA08-01 – <http://www.adobe.com/support/security/advisories/apsa08-01.html>
• Adobe Reader 8.1.2 Release Notes – <http://www.adobe.com/go/kb403079>
• SANS Internet Storm Center Handler’s Diary – <http://isc.sans.org/diary.html?storyid=3958>
• Configuring Windows Explorer – Registry EditFlags – <http://mc-computing.com/WinExplorer/WinExplorerEditFlags.htm>
• Internet Explorer Opens .exe Files Instead of Downloading Them – <http://support.microsoft.com/kb/140991>
• Office Documents opening in IE – <http://blogs.msdn.com/omars/archive/2004/04/29/123181.aspx>

Original Issue Date: 10th October 2007

With the coming festive season and long holiday break, MyCERT would like to alert all System Administrators, Network Administrators, IT Personnel and Internet users to properly secure/harden their systems and networks before they leave for their long holidays.

Based on our experience, we had security incidents with servers compromised and websites defaced during festive seasons/long holiday break. Thus, with the release of the alert, we hope such incidents could be prevented.

System Administrators, Network Administrators should take extra precautions against any possibilities of web defacements and malicious code activities during the festive and long holiday season, by implementing proper preventive measures against the above threats. However, other threats such as Denial of Service and Hack threats should not be overlooked. Data Center Administrators should also take extra precautions against any possibilities of mass defacements involving virtual hosting servers. We have been seeing the trend of mass defacements involving virtual hosting servers belonging to data centers.

Financial Institutions must also be vigilant against any possibilities of phishing activities that target the internet bankings. Customers must be advised adequately on avoiding themselves becoming victims of phishing activities by applying safe browsing and safe internet banking practice.

Make sure contact information of your system, network or security administrator is available in the event of a security incident occurring at or originating from your site/network.

Attached below are some useful guidelines and measures that you may follow to ensure that your systems and networks are properly secured, thus preventing them from being compromised:

1.Make sure all your systems are installed with latest service packs and patches.

If you’re running older versions of operating systems or softwares, make sure you have upgraded them to the latest versions as older versions may have some vulnerabilities that can be manipulated by intruders Aside from that, please make sure that your web based applications and network based appliances are patched accordingly.

You may refer to your respective vendors for the latest patches, service packs and upgrades.
2.If you’re running services, make sure you close unneeded services/ports and other required services should be filtered and patched accordingly.
3.Make sure anti-virus softwares that are running on your hosts and email gateways are updated with latest signature files and are enabled to scan all files.

You may refer to the AV sites at: http://www.mycert.org.my/anti-virus.htm
4.Please check that your systems and networks are configured properly in order to avoid any unnecessary incidents caused by system misconfiguration.
5.Make sure loggings of your systems and servers are properly enabled.
6.Make sure you back up important and relevant data from all your systems.
7.Organizations are recommended to apply defense in depth strategy in protecting their networks. Firewalls, intrusion prevention systems (IPS), network and host based intrusion detection systems (IDS) can prevent and log most of the generic attacks.

List of several Intrusion Detection Systems

http://www.mycert.org.my/resource/ids.htm

8.Home Users who are using PCs/computers at home are advised to:
1.Make sure your PCs, browsers are installed with latest service packs or patches.
2.Install an Anti-Virus software on your PCs which scans and blocks any worms /viruses/malware to the PC. The Anti-virus should be regularly updated with latest signature files in order to detect new worms/viruses.

You may refer to the following AV sites to download anti-virus software.

http://www.mycert.org.my/anti-virus.htm

3.It is recommended for home users to install personal firewalls on their PCs. A personal firewall is capable of blocking and alerting the owner of malicious and suspicious activities.

More information on home user PC security is available at:

http://www.mycert.org.my/homepcsecurity.html

4.Implement safe email-practices.

Safe-email practices document is available at:

http://www.mycert.org.my/faq-safe_email_practices.htm

Please take note that MyCERT is available 24×7 during the festive season/long holiday break for incident reporting and users/organizations may contact us for assistance.

MyCERT can be reached at:

E-mail : mycert@mycert.org.my
Phone : +603 89926969 (monitored during business hours)
Fax : +603 89453442 (monitored during business hours)
Handphone : +60 19 2665850 (24×7 call incident reporting)
SMS : +60 19 2813801 (24×7 SMS reporting)
Business Hours : Mon – Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

Postal : Malaysian Computer Emergency Response Team (MyCERT)
CyberSecurity Malaysia
Level 7, SAPURA@MINES
7, Jalan Tasik, The Mines Resort City
43300 Seri Kembangan
Selangor Darul Ehsan
MALAYSIA

Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, Microsoft Internet Explorer, Microsoft Outlook Express and Windows Mail, Microsoft Office, Microsoft Office for Mac, and Microsoft SharePoint. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.
Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft Outlook Express and Windows Mail
* Microsoft Office
* Microsoft Office for Mac
* Microsoft SharePoint

I. Description

Microsoft has released updates to address vulnerabilities that affect Microsoft Windows, Microsoft Internet Explorer, Microsoft Outlook Express and Windows Mail, Microsoft Office, Microsoft Office for Mac, and Microsoft SharePoint as part of the Microsoft Security Bulletin Summary for October 2007. The most severe vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.

Further information about the vulnerabilities addressed by these updates is available in the Vulnerability Notes Database.
II. Impact

A remote, unauthenticated attacker could execute arbitrary code on a vulnerable system. An attacker may also be able to cause a denial of service.
III. Solution
Apply updates from Microsoft

Microsoft has provided updates for these vulnerabilities in the October 2007 security bulletins. The security bulletins describe any known issues related to the updates. Administrators are encouraged to note any known issues that are described in the bulletins and test for any potentially adverse effects.

System administrators should consider using an automated patch distribution system such as Windows Server Update Services (WSUS).
IV. References

* US-CERT Vulnerability Notes for Microsoft October 2007 updates – http://www.kb.cert.org/vuls/byid?searchview&query=ms07-oct
* Microsoft Security Bulletin Summary for October 2007 – http://www.microsoft.com/technet/security/bulletin/ms07-oct.mspx
* Microsoft Update – https://update.microsoft.com/microsoftupdate/
* Windows Server Update Services – http://www.microsoft.com/windowsserversystem/updateservices/default.mspx
* Securing Your Web Browser – http://www.cert.org/tech_tips/securing_browser/
* Mactopia – http://www.microsoft.com/mac/

Original Article : http://www.us-cert.gov/cas/techalerts/TA07-282A.html

Last Updated ( Monday, 05 November 2007 )

* original resources from Government Computer Emergency Response Team

Successful exploitation requires that “register_globals” is enabled…
The vulnerabilities are confirmed in versions 1.5.5 and 1.5.5.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Jesper Jurcenoks

Original Article:
http://secunia.com/advisories/25871/

* original resources from Government Computer Emergency Response Team