Internet Security Systems - AlertCon(TM)

Adobe Vulnerabilities

Posted by Mark Dowd on June 12, 2009 at 7:40 PM EDT.

Last Tuesday, Adobe released a patch addressing multiple security flaws for various components of their premier Adobe Reader product. Of these vulnerabilities, 6 of them were discovered by myself. I thought it was worth mentioning this advisory on the blog.

The vulnerabilities I uncovered were all within the JBIG2 filter of Adobe Reader. Essentially, JBIG2 is a JPEG-related encoding scheme that can be optionally used for encoding monochrome image objects within a PDF stream. After reviewing the specifications of JBIG2 streams, it was apparent to me that a JBIG2 parser could be quite easily susceptible to memory corruption-style vulnerabilities if not coded quite carefully - primarily because of the excessive manipulation of inter-related size
parameters.

Vulnerabilities such as these highlight why it's important to stay up-to-date with patching in your applications. In fact, earlier this year a vulnerability in the same JBIG2 component was discovered in the wild. The vulnerability was being exploited to install a backdoor on vulnerable installations of Adobe Reader, which was all of them at the time, since the bug had not been reported to the vendor. Therefore, by performing analysis such as this, we intend to help minimize the risk of such malware outbreaks in the future by finding and reporting bugs before they are exploited in the wild.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.