Date: 10 January 2007
References: ESB-2007.0001 ESB-2007.0024 ESB-2007.0182 ESB-2009.1395
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2007.0009 -- AUSCERT ALERT
[Win][UNIX/Linux]
Multiple vulnerabilities in Adobe Reader and Acrobat 7.0.8 and prior
10 January 2007
===========================================================================
AusCERT Alert Summary
---------------------
Product: Adobe Reader 7.0.8 and prior
Adobe Acrobat Standard, Professional and Elements 7.0.8 and prior
Adobe Acrobat 3D
Publisher: Adobe
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact: Execute Arbitrary Code/Commands
Cross-site Scripting
Access: Remote/Unauthenticated
CVE Names: CVE-2007-0048 CVE-2007-0046 CVE-2007-0045
CVE-2006-5857
Ref: ESB-2007.0001
Original Bulletin:
http://www.adobe.com/support/security/bulletins/apsb07-01.html
Comment: New vulnerabilities allowing remote compromise of the client computer
are addressed, as well as the serious cross-domain vulnerability
previously described in ESB-2007.0001.
- --------------------------BEGIN INCLUDED TEXT--------------------
Update available for vulnerabilities in versions 7.0.8 and earlier of
Adobe Reader and Acrobat
Release date: January 9, 2007
Vulnerability identifier: APSB07-01
CVE number: CVE-2006-5857, CVE-2007-0045,
CVE-2007-0046, CVE-2007-0048
Platform: All Platforms
Affected software versions
Adobe Reader 7.0.8 and earlier versions
Adobe Acrobat Standard, Professional and Elements 7.0.8 and
earlier versions
Adobe Acrobat 3D
Revision:
January 9, 2007 This Security Bulletin provides a solution for the
issue originally documented in Security Advisory APSA07-01 on January
4, 2007, as well as other issues.
Summary:
This Security Bulletin addresses several vulnerabilities, including
issues that have already been disclosed. An update is available for
a cross-site scripting (XSS) vulnerability in versions 7.0.8 and
earlier of Adobe Reader and Acrobat that could allow remote attackers
to inject arbitrary JavaScript into a browser session.
This vulnerability, previously reported in APSA07-01 on January 4, 2007,
has been assigned an important severity rating. Additional
vulnerabilities have been identified in versions 7.0.8 and earlier
of Adobe Reader and Acrobat that could allow an attacker who
successfully exploits these vulnerabilities to take control of the
affected system. These vulnerabilities have been assigned a critical
severity rating. A malicious file must be loaded in Adobe Reader by
the end user for an attacker to exploit these vulnerabilities. It is
recommended that users update to the most current version of Adobe
Reader or Acrobat available.
Solution:
Adobe Reader on Windows
Adobe strongly recommends upgrading to Adobe Reader 8, available from
the following site: http://www.adobe.com/go/getreader.
Users with Adobe Reader 7.0 through 7.0.8, who cannot upgrade to
Reader 8, should upgrade to Reader 7.0.9. Adobe Reader 7.0.9 is
available as a full installation package and not a patch. It can be
installed on top of any older version of Reader 7 and user preferences
will be preserved: http://www.adobe.com/go/getreader.
Adobe Reader on Mac OS
Adobe strongly recommends upgrading to Adobe Reader 8, available from
the following site: http://www.adobe.com/go/getreader.
Users with Adobe Reader 7.0 through 7.0.8, who cannot upgrade to
Reader 8, should upgrade to Reader 7.0.9. The Reader 7.0.9 update
requires that Adobe Reader 7.0.8 is installed on your Mac system. To
determine which version of Adobe Reader is installed, choose Adobe
Reader > About Adobe Reader. The version number appears in the upper
left corner below the Adobe Reader logo.
If version 7.0.8 is installed, download and install this incremental
patch. After downloading the update file, double-click it to begin
the update process and access the file's contents.
If version 7.0, 7.0.1, 7.0.2, 7.0.3, 7.0.5, 7.0.7 or an earlier version
of Reader is installed and customers cannot update to Reader 8, Adobe
recommends that customers download the full Adobe Reader 7.0.9 installer
from the Reader download page.
Adobe Acrobat on Windows or Mac OS
For version 7.0-7.0.8, users should utilize the product's automatic
update facility. The default installation configuration runs automatic
updates on a regular schedule, and can be manually activated by
choosing Help > Check For Updates Now. Alternatively, the update files
can also be manually downloaded and installed from
www.adobe.com/downloads.
Adobe Reader on UNIX
For version 7.0, users should upgrade to Adobe Reader 7.0.9 from
http://www.adobe.com/go/getreader.
For versions prior to 7.0, users should upgrade to 7.0.9
http://www.adobe.com/go/getreader.
Adobe is working on an update to versions 6.X of Adobe Reader and
Acrobat that will resolve this issue. It is expected to be available
in the near future. This Security Bulletin will be updated as soon
as the update is available.
Server-side workarounds for website operators
Adobe has provided workarounds for website operators to prevent the
cross-site scripting vulnerability (CVE-2007-0045) from the server
side. Please review Security Advisory APSA07-02 for more information.
Severity rating:
Adobe categorizes this as a critical issue and recommends affected
users update any affected software.
Details:
This Security Bulletin addresses several vulnerabilities, including
issues that have already been disclosed. It is recommended that users
update to the most current version of Adobe Reader or Acrobat available.
An update is available for a cross-site scripting (XSS) vulnerability
in versions 7.0.8 and earlier of Adobe Reader and Acrobat that could
allow remote attackers to inject arbitrary JavaScript into a browser
session. This vulnerability, previously reported in APSA07-01 on
January 4, 2007, has been assigned an important severity rating. This
issue is specific to Windows and Linux operating systems. Exploitability
depends on the browser and browser version being used. This
vulnerability does not allow execution of binary code. This issue is
remotely exploitable. Adobe has provided workarounds for website
operators to prevent the cross-site scripting vulnerability from the
server side. (CVE-2007-0045)
Additional vulnerabilities have been identified in versions 7.0.8 and
earlier of Adobe Reader and Acrobat that could allow an attacker who
successfully exploits these vulnerabilities to take control of the
affected system. These vulnerabilities have been assigned a critical
severity rating. A malicious file must be loaded in Adobe Reader by
the end user for an attacker to exploit these vulnerabilities. These
issues are remotely exploitable. (CVE-2006-5857, CVE-2007-0046)
These updates include changes to prevent a denial of service issue
in Adobe Reader or Acrobat. (CVE-2007-0048)
Acknowledgments:
Adobe would like to thank Piotr Bania for reporting the vulnerability
described in CVE-2006-5857 and for working with us to help protect
our customers' security.
Adobe disclaimer
License agreement
By using software of Adobe Systems Incorporated or its subsidiaries
("Adobe"); you agree to the following terms and conditions. If you do not
agree with such terms and conditions; do not use the software. The terms
of an end user license agreement accompanying a particular software file
upon installation or download of the software shall supersede the terms
presented below.
The export and re-export of Adobe software products are controlled by the
United States Export Administration Regulations and such software may not
be exported or re-exported to Cuba; Iran; Iraq; Libya; North Korea; Sudan;
or Syria or any country to which the United States embargoes goods. In
addition; Adobe software may not be distributed to persons on the Table
of Denial Orders; the Entity List; or the List of Specially Designated
Nationals.
By downloading or using an Adobe software product you are certifying that
you are not a national of Cuba; Iran; Iraq; Libya; North Korea; Sudan; or
Syria or any country to which the United States embargoes goods and that
you are not a person on the Table of Denial Orders; the Entity List; or
the List of Specially Designated Nationals.
If the software is designed for use with an application software product
(the "Host Application") published by Adobe; Adobe grants you a
non-exclusive license to use such software with the Host Application only;
provided you possess a valid license from Adobe for the Host Application.
Except as set forth below; such software is licensed to you subject to the
terms and conditions of the End User License Agreement from Adobe governing
your use of the Host Application.
DISCLAIMER OF WARRANTIES: YOU AGREE THAT ADOBE HAS MADE NO EXPRESS
WARRANTIES TO YOU REGARDING THE SOFTWARE AND THAT THE SOFTWARE IS BEING
PROVIDED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. ADOBE DISCLAIMS ALL
WARRANTIES WITH REGARD TO THE SOFTWARE; EXPRESS OR IMPLIED; INCLUDING;
WITHOUT LIMITATION; ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
PURPOSE; MERCHANTABILITY; MERCHANTABLE QUALITY OR NONINFRINGEMENT OF THIRD
PARTY RIGHTS. Some states or jurisdictions do not allow the exclusion of
implied warranties; so the above limitations may not apply to you.
LIMIT OF LIABILITY: IN NO EVENT WILL ADOBE BE LIABLE TO YOU FOR ANY LOSS
OF USE; INTERRUPTION OF BUSINESS; OR ANY DIRECT; INDIRECT; SPECIAL;
INCIDENTAL; OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST PROFITS)
REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT; TORT (INCLUDING
NEGLIGENCE); STRICT PRODUCT LIABILITY OR OTHERWISE; EVEN IF ADOBE HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some states or jurisdictions
do not allow the exclusion or limitation of incidental or consequential
damages; so the above limitation or exclusion may not apply to you.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRaRkxih9+71yA2DNAQKMcwQAmQvpo03dvNDh3sNxERvUyKO3mlxqa5AR
brtXgso2Hx0B3aZODYtVVw1gAh6RfqsZN7UUNbKpYjNh8QlXI49dczUzsWr8E/KO
BKTVeodfzykyDCARV6XIUcahHd7saOptL2ccwHzjuq3fgXCdcUgCl8tK87vCV44O
vuNFVW+XpkM=
=6BmC
-----END PGP SIGNATURE-----
|