Alerts
Alerts
Zero-Day Tracker
Common Name:
Adobe ActiveX
Date Disclosed:
11/28/2006
Date Patched:
12/5/2006
Vendor:
Adobe
Application:
Adobe Reader 7.0.0 - 7.0.8
Adobe Acrobat Standard/Professional 7.0.0 - 7.0.8
Description:
Multiple vulnerabilities have been disclosed by FrSIRT that describe vulnerable methods within the Adobe Acrobat/Reader ActiveX control. Although there was no supplied proof of concept for these vulnerabilities, releasing the method names as well as the fact that they are 'memory corruption' errors and 'could be exploited by attackers to take complete control of an affected system' without a vendor-supplied patch will put many Adobe users at risk.
Severity:
High
Code Execution:
Yes
Impact:
Arbitrary code execution under the context of the logged in user
An ActiveX remote code execution vulnerability has a very high impact since the source of the malicious payload can be any site on the Internet. An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.
Mitigation:
Now that a patch is released, the best form of mitigation is to install the patch from Adobe. It should be noted that users that cannot upgrade to Adobe Reader users who cannot update to Ready 8 must manually replace the vulnerable dll on their system.
Prior to the patch, the best form of mitigation is available by kill-bitting the CLSIDs for the Adobe ActiveX Control (CA8A9780-280D-11CF-A24D-444553540000) following the directions of KB240797. This will disable calls to the ActiveX from web pages, but will still allow PDF documents to be displayed within web browsers when they are browsed to directly.
In the vendor response, Adobe suggests removing the AcroPDF.dll file. This is another form of mitigation which will cause all PDF documents to be opened outside of a web browser with Acrobat directly, but may prove to be a difficult mitigation deployment in large enterprises when compared to the registry-based kill-bit solution.
Protection:
Patch:
APSB06-20: Update available for potential vulnerabilities in Adobe Reader and Adobe Acrobat 7
Links:
Vendor Response (Adobe)
Original Disclosure (FrSIRT)
Status:
11/28/2006: FrSIRT Disclosure
Common Name:
Adobe ActiveX
Date Disclosed:
11/28/2006
Date Patched:
12/5/2006
Vendor:
Adobe
Application:
Adobe Reader 7.0.0 - 7.0.8
Adobe Acrobat Standard/Professional 7.0.0 - 7.0.8
Description:
Multiple vulnerabilities have been disclosed by FrSIRT that describe vulnerable methods within the Adobe Acrobat/Reader ActiveX control. Although there was no supplied proof of concept for these vulnerabilities, releasing the method names as well as the fact that they are 'memory corruption' errors and 'could be exploited by attackers to take complete control of an affected system' without a vendor-supplied patch will put many Adobe users at risk.
Severity:
High
Code Execution:
Yes
Impact:
Arbitrary code execution under the context of the logged in user
An ActiveX remote code execution vulnerability has a very high impact since the source of the malicious payload can be any site on the Internet. An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.
Mitigation:
Now that a patch is released, the best form of mitigation is to install the patch from Adobe. It should be noted that users that cannot upgrade to Adobe Reader users who cannot update to Ready 8 must manually replace the vulnerable dll on their system.
Prior to the patch, the best form of mitigation is available by kill-bitting the CLSIDs for the Adobe ActiveX Control (CA8A9780-280D-11CF-A24D-444553540000) following the directions of KB240797. This will disable calls to the ActiveX from web pages, but will still allow PDF documents to be displayed within web browsers when they are browsed to directly.
In the vendor response, Adobe suggests removing the AcroPDF.dll file. This is another form of mitigation which will cause all PDF documents to be opened outside of a web browser with Acrobat directly, but may prove to be a difficult mitigation deployment in large enterprises when compared to the registry-based kill-bit solution.
Protection:
- eEye's Blink® Personal Edition protects from this vulnerability.
- eEye's Blink® Professional Edition protects from this vulnerability.
- eEye's Retina® Network Security Scanner scans devices to detect for this vulnerability.
Patch:
APSB06-20: Update available for potential vulnerabilities in Adobe Reader and Adobe Acrobat 7
Links:
Vendor Response (Adobe)
Original Disclosure (FrSIRT)
Status:
11/28/2006: FrSIRT Disclosure
