Posted by: paragon | May 13, 2009

Two New Zero Day Adobe Reader Exploits




Update: Two New Zero Day Adobe Reader Exploits

Adobe Releases Updates for Reader and Acrobat

Severity: High

12 May, 2009


On 28 April, 2009, we alerted LiveSecurity subscribers about two zero day vulnerabilities in Adobe Reader which attackers could exploit to execute code on your machine, potentially gaining complete control of it. When we first reported this issue, a greyhat security researcher had already released Proof-of-Concept (PoC) exploits that leveraged these flaws to the public. We promised to update our alert when Adobe released a patch for this issue. Today they did.

Adobe’s security bulletin announces the release of Reader 9.1.1, which fixes both security vulnerabilities (one of them only affects Reader on UNIX systems). They also announce updates for Acrobat, which also suffers from these vulnerabilities. Adobe’s bulletin does not describe the flaws in any technical detail. However, they do describe their impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted PDF document (.pdf), he can exploit these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. 

If you use Adobe Reader or Acrobat on any platform, we recommend you download and install Adobe’s updates as soon as you can. See below for details.

Solution Path:

Adobe has released Reader 9.1.1, Acrobat 8.1.5 and Acrobat, 7.1.2 to fix these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as you can:

Note: If you use Adobe Updater, it may automatically install the corresponding updates for you.

For All WatchGuard Users:

If you previously customized your Firebox’s proxy policies to temporarily block PDF documents (.pdf), you may want to remove those customizations after applying Adobe’s patch. This will allow your users to download legitimate PDF documents again.

For additional details about the vulnerability, and as a convenient reference, we reproduce our original 28 April alert below. You can also find it in the LiveSecurity Latest Broadcasts archive.


  • This vulnerability affects: Adobe Reader and Acrobat 9.1 and earlier, on Windows, Mac, *nix computers
  • How an attacker exploits it: By enticing your users into viewing a maliciously crafted PDF document
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: Implement the workarounds described in the Solutions section of this alert


Yesterday, SecurityFocus released an advisory describing a new zero day Adobe Reader exploit they found in the wild. The Proof of Concept (PoC) exploit —  written by some calling himself “Arr1val” — seems to leverage a flaw in the Adobe Reader function called “getAnnots()”. As it turns out, Arr1val released two new zero day exploits. The second exploit leverages another Adobe Reader function called “spell.customDictionaryOpen().” Arr1val’s code suggests he confirmed these flaws using Adobe Reader 9.1 and 8.1.4 for Linux. However, we suspect the flaws may affect all current versions of Reader running on any platform.

By enticing one of your users into downloading and opening a malicious PDF document, an attacker could exploit either of these unpatched Reader vulnerabilities to execute code on your user’s computer, with that user’s privileges. If the user had root or local administrator privileges, the attacker would gain complete control of that user’s machine.

Adobe has responded to this incident in a short blog post, saying they are investigating the issue. Since exploit code is widely available and Adobe hasn’t had time to patch yet, these flaws pose a serious risk to Adobe Reader users. We recommend you implement the workarounds described below to mitigate the risk of these dangerous zero day exploits.

Solution Path

Adobe has not had time to release a patch for these zero day vulnerabilities. However, the workarounds described below should mitigate the risk posed by the exploits currently circulating in the wild.

  • Inform your users of this vulnerability. Advise them to remain wary of unsolicited PDF documents arriving via email. If they don’t absolutely need the document, and don’t trust the entity it came from, they should avoid opening it until you patch Adobe Reader.
  • Use antivirus (AV) software and make sure it’s up to date. AV vendors will release signatures for these new exploits, so make sure to keep your AV software up to date.
  • Disable JavaScript in Adobe Reader. Disabling JavaScript in Adobe Reader could prevent these exploits from succeeding. To disable JavaScript in Adobe Reader, click Edit => Preferences => JavaScript and then uncheck Enable Acrobat JavaScript. Keep in mind, this prevents JavaScript from running in legitimate PDF documents as well.
  • Use a gateway device, like your Firebox, to block PDF files. If your users can’t download PDF files, these exploits won’t affect them. Unfortunately, doing this blocks legitimate PDF files as well. Nonetheless, depending on your business needs, you may still want to block PDF files until Adobe releases a patch.
  • Use an alternative PDF reader. You can mitigate the risk of these Adobe Reader vulnerabilities by using an alternative PDF reader. Keep in mind, other PDF readers may also suffer security vulnerabilities. However, attackers seem to primarily target the popular Adobe Reader. If it meets your business needs, you may try to adopt one of the alternative PDF readers listed on this site.

We will update this alert when Adobe releases a patch.

For All WatchGuard Users:

Many of WatchGuard’s Firebox models can block incoming PDF files. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if PDF files are not absolutely necessary to your business, you may consider blocking them using the Firebox’s HTTP and SMTP proxy until Adobe patches.

If you decide you want to block PDF documents, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block .pdf files by their file extension:


We will update you when Adobe releases a patch. Until then, implement the workarounds described above.


This alert was researched and written by Corey Nachreiner, CISSP.

What did you think of this alert? Let us know at

More alerts and articles: log into the LiveSecurity Archive.


This e-mail was sent from an unattended mailbox. Please do not reply.

ABOUT Questiva/TailoredMail:
WatchGuard has contracted with Questiva/TailoredMail, an industry leading vendor of trusted email services, to send these emails and maintain a record of your preferences confidentially. Personal information about you is not sold or rented to Questiva/TailoredMail or to other companies. Both WatchGuard and Questiva/TailoredMail are fully committed to your privacy, as detailed in WatchGuard’s privacy policy.

TO UNSUBSCRIBE: You received this e-mail because you subscribed to the WatchGuard LiveSecurity Service, which advises about virus alerts, security best practices, new hacking exploits, and more. If you no longer wish to be advised of these things, please let us know.
On the Web: Unsubscribe (credentials required)
By E-mail: Unsubscribe

This email was sent to:

No express or implied warranties are provided for herein.  All specifications are subject to change and any expected future products, features or functionality will be provided on an if and when available basis.

Copyright 2009 WatchGuard Technologies, Incorporated. All Rights Reserved. WatchGuard, LiveSecurity and Firebox, and any other word listed as a trademark in the “Terms of Use” portion of the WatchGuard Web site that is used herein, are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other trademarks are the property of their respective owners. You may not modify, reproduce, republish, post, transmit, or distribute this content except as expressly permitted in writing by WatchGuard Technologies, Inc.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: