
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                Adobe Reader and Acrobat Malicious PDF Document
                            [Adobe Document 331709]

June 28, 2005 16:00 GMT                                           Number P-236
______________________________________________________________________________
PROBLEM:       A vulnerability within Adobe Reader and Adobe Acrobat makes it 
               possible to launch arbitrary executables. 
PLATFORM:      Mac OS (Adobe Reader 7.0 and 7.0.1, Adobe Acrobat 7.0 and 
               7.0.1) 
DAMAGE:        If malicious JavaScript is embedded in PDF files, it is 
               possible to launch arbitrary executables on a local machine. 
               However the impact is minimized due to the fact that the 
               applications can be executed only if the complete application 
               names and paths are known in advance by the attacker. 
SOLUTION:      Install the security patches. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. If exploited it may be possible to launch 
ASSESSMENT:    executables on an end-user system without the end user's 
               knowledge. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/p-236.shtml 
 ORIGINAL BULLETIN:  http://www.adobe.com/support/techdocs/331709.html 
 CVE/CAN:            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CAN-2005-1623 
______________________________________________________________________________
[***** Start Adobe Document 331709 *****]

Arbitrary application execution from a malicious PDF document (Mac OS)


Advisory Name: Arbitrary application execution from a malicious PDF document 


Release Date: June 27th, 2005 


Product: Adobe Reader 7.0 and 7.0.1, Adobe Acrobat 7.0 and 7.0.1 


Platform: Mac OS 


Vulnerability Identifier: CAN-2005-1623 


Overview: A vulnerability within Adobe Reader and Adobe Acrobat has been identified.
Under certain circumstances, it is possible to launch arbitrary executables. 


Adobe has solutions available that can rectify these issues. Please refer to the 
Recommendations section for further information. 


Effect: If exploited it may be possible to launch executables on an end-user 
system without the end user's knowledge. 


Details: The vulnerability is within Adobe Reader and Adobe Acrobat. If malicious 
JavaScript is embedded in PDF files, it is possible to launch arbitrary executables 
on a local machine. However the impact is minimized due to the fact that the applications 
can be executed only if the complete application names and paths are known in advance 
by the attacker. 


Recommendations: 

Download one of the following updates: 


-- If you use Adobe Reader 7.x, download the update to Adobe Reader 7.0.2 
from the Adobe website at www.adobe.com/support/downloads/ . 

-- If you use Adobe Acrobat 7.x, download the update to Adobe Acrobat 7.0.2 
from the Adobe website at www.adobe.com/support/downloads/ . 



Caveats: None 


Vulnerability Identifier Cross-Reference: CVE ID: CAN-2005-1623 


Acknowledgment: Adobe would like to thank Aandi Inston, for reporting the issue. 


Adobe Disclaimer 


License agreement 

By using software of Adobe Systems Incorporated or its subsidiaries ("Adobe"); 
you agree to the following terms and conditions. If you do not agree with such 
terms and conditions; do not use the software. The terms of an end user license 
agreement accompanying a particular software file upon installation or download 
of the software shall supersede the terms presented below. 


The export and re-export of Adobe software products are controlled by the United 
States Export Administration Regulations and such software may not be exported or 
re-exported to Cuba; Iran; Iraq; Libya; North Korea; Sudan; or Syria or any country 
to which the United States embargoes goods. In addition; Adobe software may not be 
distributed to persons on the Table of Denial Orders; the Entity List; or the List 
of Specially Designated Nationals. 


By downloading or using an Adobe software product you are certifying that you are 
not a national of Cuba; Iran; Iraq; Libya; North Korea; Sudan; or Syria or any country 
to which the United States embargoes goods and that you are not a person on the Table 
of Denial Orders; the Entity List; or the List of Specially Designated Nationals. 


If the software is designed for use with an application software product (the "Host 
Application") published by Adobe; Adobe grants you a non-exclusive license to use 
such software with the Host Application only; provided you possess a valid license 
from Adobe for the Host Application. Except as set forth below; such software is licensed 
to you subject to the terms and conditions of the End User License Agreement from 
Adobe governing your use of the Host Application. 


DISCLAIMER OF WARRANTIES: YOU AGREE THAT ADOBE HAS MADE NO EXPRESS WARRANTIES 
TO YOU REGARDING THE SOFTWARE AND THAT THE SOFTWARE IS BEING PROVIDED TO YOU "AS IS" 
WITHOUT WARRANTY OF ANY KIND. ADOBE DISCLAIMS ALL WARRANTIES WITH REGARD TO THE 
SOFTWARE; EXPRESS OR IMPLIED; INCLUDING; WITHOUT LIMITATION; ANY IMPLIED WARRANTIES 
OF FITNESS FOR A PARTICULAR PURPOSE; MERCHANTABILITY; MERCHANTABLE QUALITY OR 
NONINFRINGEMENT OF THIRD PARTY RIGHTS. Some states or jurisdictions do not allow 
the exclusion of implied warranties; so the above limitations may not apply to you. 


LIMIT OF LIABILITY: IN NO EVENT WILL ADOBE BE LIABLE TO YOU FOR ANY LOSS OF USE; 
INTERRUPTION OF BUSINESS; OR ANY DIRECT; INDIRECT; SPECIAL; INCIDENTAL; OR CONSEQUENTIAL 
DAMAGES OF ANY KIND (INCLUDING LOST PROFITS) REGARDLESS OF THE FORM OF ACTION WHETHER 
IN CONTRACT; TORT (INCLUDING NEGLIGENCE); STRICT PRODUCT LIABILITY OR OTHERWISE; EVEN 
IF ADOBE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some states or jurisdictions 
do not allow the exclusion or limitation of incidental or consequential damages; so the 
above limitation or exclusion may not apply to you. 


[***** End Adobe Document 331709 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Adobe for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

P-226: Outlook Express Cumulative Update
P-227: Step-by-Step Interactive Training Vulnerability
P-228: ISA Server 2000 Cumulative Update
P-229: Vulnerability in Microsoft Agent Could Allow Spoofing (890046)
P-230: Vulnerability in Telnet Client Could Allow Information Disclosure (896428)
P-231: Security Vulnerability in the lpadmin(1M) Utility
P-232:  VERITAS Security Updates
P-233: RealNetworks Security Update
P-234: RealPlayer SMIL File Vulnerability
P-235: FTPSERV.NLM Abend and Security fixes