Annotations Have the Last Word: Adobe Reader PDF Makes Mac OS Vulnerable

You could be getting more than you bargained for when you download a PDF or receive one as an email attachment. PDFs can run scripts upon opening them and could potentially compromise your system.

Adobe Systems Inc. confirmed the existence of two new vulnerabilities in their Adobe Acrobat Reader application. The news was announced May 4 by Trustwave and other security agencies which stated that Adobe expects to release patches by May 12, 2009. The vulnerabilities involve JavaScript functions that 'getAnnots ()' (CVE-2009-1492) and spell.customDictionaryOpen (CVE-2009-1493). According to Secunia.com the 'getAnnots ()' function is a JavaScript API in Acrobat Reader and Acrobat that allows remote assault to cause a denial of service through memory corruption or execute an arbitrary code via a PDF that contains that annotation. This is conducted through an OpenAction entry using JavaScript code that issues a series of crafted integer arguments or calls.

The customDictionaryOpen spell method is also a JavaScript API that affects Adobe Reader 8.x - 9.1 running primarily on Linux System. It allows remote hackers to deny services through a memory corruption and, similar to the 'getAnnots', may be executed through an arbitrary code via a PDF. Mac users don't have to be too concerned about the customDictionaryOpen function as this is mainly something that will come up using Linux. The most troubling out of the two is the 'getAnnots ()'.

These vulnerabilities cause a Macintosh-based Acrobat Reader versions 9.x - 8.x and Acrobat 9.x - 8.x to crash and have the potential to allow a hacker to attack and take control of a vulnerable system. Simply disabling JavaScript will not resolve anything; it only disables the vulnerable JavaScript component but does not reduce system compromise. The United States Computer Emergency Readiness Team (US-CERT) has recommended the following precautions for those that have or yet to encounter these PDFs.

Do not open unsolicited PDF files from distrusted or suspicious sources; switch your default PDF handler to Preview for the time being; and disable Adobe Reader JavaScript Preferences to prevent hackers from exploiting system vulnerabilities. To do this:

(1) Launch Adobe Acrobat Reader
(2) Select Edit from the Menu Bar
(3) Select Preferences
(4) Select the Internet Tab
(5) Uncheck the "Display PDF in Browser"

In addition, prevent your default browser (Internet Explorer, Firefox, Safari, etc.) from automatically opening PDF documents. The installer that loads Adobe Reader and Acrobat configures any one of your browsers to open a PDF file without any user interaction. To disable the browser from displaying of PDF documents:

(1) Launch Adobe Acrobat Reader
(2) From the main Menu select Edit
(3) Select Preferences, Click on the Internet tab
(4) Uncheck "Display PDF in browser" checkbox.

Avoiding opening PDF documents in a web browser reduces the possibility of attack. The following workaround applied to the updated version of Adobe Reader should protect against future vulnerabilities.

If you have a PC, additional preventative measures are listed at the US-CERT site that further reduce your chances of attack. Currently Adobe recognizes this as a critical issue and recommends that you follow the above listed steps and exercise common sense when opening PDF files. Please visit the Adobe Product Security Incident Response Team blog for further updates on this issue.