PDF
Launch Action Method Arbitrary Code Execution Attempt
Date Discovered:
04/05/2010
Severity:
High
Operating Systems
Affected:
All Supported OS
Application
Affected:
Adobe Acrobat Reader
9.3.2 and Prior
Foxit Reader 3.2.0.0303 and Prior
Identifiers:
CVE-2010-1240
Synopsis
Launch
Action Method in a PDF document is susceptible to Arbitrary Code
Execution. Remote Attackers can disguise a non-susceptible user to
trick it into execution of malicious code.
iPolicy Networks
Response
iPolicy Networks IPF provides detection for this
vulnerability by following signature:
Currently no
patches are provided by the affected vendors. However users are
adsvised to:
1. Update IDS/IPS definition.
2. Update Anti-Virus definition.
3. Open pdf attachment in emails from trusted source only.
Threat Analysis
Portable
Document Format (PDF) is a file format created by Adobe
Systems for document exchange. PDF is used for representing
two-dimensional documents in a manner independent of the application
software, hardware, and operating system.
Recently arbitrary code execution attempts were observed in
the
wild by tricking a non-suspicious user to execute malicious contents
through Social Engineering attacks.
Adobe Reader does not restrict the contents
of text field in the Launch File warning dialog, which makes
it
easier for remote attackers to trick users into executing an arbitrary
local program that was specified in a PDF document.
Foxit Reader doesn't even prompt the user with warning and executes the
arbitrary code.
This security threat is also targeted by well-known malwares like ZeuS
and ZBOT.
