Severity: Medium
22 October, 2007
Summary:
Yesterday, Adobe released an update to fix critical security vulnerabilities that affect Adobe Reader 8.1 and Adobe Acrobat 8.1 (and all earlier versions) running on Windows XP. By enticing one of your users into opening a specially crafted PDF file, an attacker can exploit the worst of these flaws to gain control of that user’s system. If you use Adobe Reader or Acrobat in your network, you should download, test, and deploy version 8.1.1 as soon as possible.
Exposure:
In a security bulletin released yesterday, Adobe warned of several critical vulnerabilities in Reader 8.1 and Acrobat 8.1 (and all earlier versions) for Windows XP. While their advisory regularly mentions multiple vulnerabilities, they specifically refer to only one issue, which they describe in little detail. Adobe only says that if an attacker can convince a Windows XP user who also has Internet Explorer (IE) 7 into opening a specially crafted PDF file, the attacker can exploit this unspecified flaw to gain control of that user’s computer. Since you can embed PDF files into Web pages, simply visiting the wrong web page might trigger this flaw.
Severity: Medium
22 October, 2007
Summary:
Yesterday, Adobe released an update to fix critical security vulnerabilities that affect Adobe Reader 8.1 and Adobe Acrobat 8.1 (and all earlier versions) running on Windows XP. By enticing one of your users into opening a specially crafted PDF file, an attacker can exploit the worst of these flaws to gain control of that user’s system. If you use Adobe Reader or Acrobat in your network, you should download, test, and deploy version 8.1.1 as soon as possible.
Exposure:
In a security bulletin released yesterday, Adobe warned of several critical vulnerabilities in Reader 8.1 and Acrobat 8.1 (and all earlier versions) for Windows XP. While their advisory regularly mentions multiple vulnerabilities, they specifically refer to only one issue, which they describe in little detail. Adobe only says that if an attacker can convince a Windows XP user who also has Internet Explorer (IE) 7 into opening a specially crafted PDF file, the attacker can exploit this unspecified flaw to gain control of that user’s computer. Since you can embed PDF files into Web pages, simply visiting the wrong web page might trigger this flaw.
Petko D. Petkov (aka pdp) of GNUCITIZEN.org, first discovered this flaw last September. Following the tenets of responsible disclosure, he did not release any details about this flaw, instead waiting for Adobe to release a patch. However, he also promised to release Proof-of-Concept (PoC) code that demonstrates this flaw in action as soon as Adobe released their update. So expect to see exploits for this vulnerability shortly. Adobe users should upgrade as soon as possible.
Solution Path
Adobe Reader 8.1.1 and Acrobat 8.1.1 fix these vulnerabilities. Windows XP administrators should download, test, and deploy these updates as soon as possible.
For All WatchGuard Users:
Although many of WatchGuard’s Firebox models can block incoming PDF files, most administrators prefer to allow these file types for business purposes. You should download and install Adobe Reader 8.1.1 instead.
However, if you still want to block .PDF files, follow the links below for instructions:
- Firebox X Edge running 8.5
- Firebox III and X Core running WFS
- Firebox X Core and X Peak running Fireware Pro
- Vclass
- SMTP Proxy. You’ll have to create or adjust a custom proxy action based on SMTP-Incoming in order to strip .PDF files. If you have created your own Proxy Action based on SMTP-Incoming, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Content Checking tab, change “Category” to Attachment Filename and click either the Add to Top or Insert After button (only one or the other will display). Next, type “PDF_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.PDF” and select Strip as the Action. Now you can apply this new Proxy Action to your SMTP rule to ensure your Firebox blocks .PDF files.
-
- HTTP Proxy. You’ll have to create or adjust a custom proxy action based on HTTP-Outgoing in order to strip .PDF files. If you have created your own Proxy Action based on HTTP-Outgoing, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Request General tab, change “Category” to URL Paths and click on Add. Next, type “PDF_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.PDF” and select Strip as the Action. Now you can apply this new Proxy Action to your HTTP rule to ensure your Firebox blocks .PDF files.
Status:
Adobe released Adobe Reader 8.1.1 and Acrobat 8.1.1 to correct these issues.