Secunia

Multiple vulnerabilities have been reported in Adobe Reader/Acrobat, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to compromise a user's system.

1) A boundary error exists when parsing format strings containing a floating point specifier in the "util.printf()" Javascript function. This can be exploited to cause a stack-based buffer overflow via a specially crafted PDF and allows execution of arbitrary code.

2) An out-of-bounds array indexing error when parsing embedded Type 1 fonts can be exploited to corrupt memory and may allow execution of arbitrary code.

3) An error in an AcroJS function used to perform HTTP authentication can be exploited to corrupt memory via an overly long string passed to the function. This may allow execution of arbitrary code.

4) An error when creating a Collab object and performing a specific sequence of actions on it can be exploited to corrupt memory. This may allow execution of arbitrary code.

5) An unspecified error when parsing malformed PDF objects can be exploited to corrupt memory, which may allow execution of arbitrary code.

6) An input validation error in the Download Manager used by Adobe Reader may allow code execution during the download process.

The vulnerability is related to:
SA32546

7) An error in the Download Manager used by Adobe Reader may result in a user’s Internet Security options being changed during the download process.

8) An input validation error in a JavaScript method may allow code execution.

9) An unspecified privilege escalation vulnerability exists in the version for UNIX/Linux.

The vulnerabilities are reported in version 8.1.2 and prior.

Solution
Update to version 7.1.1 and 8.1.3 or upgrade to version 9.

Provided and/or discovered by
1) Independently discovered by:
* Dyon Balding, Secunia Research.
* Peter Vreugdenhil via ZDI.

2) Greg MacManus, iDefense Labs.
3) Reported by an anonymous person via iDefense.

4) Peter Vregdenhil via ZDI.
5) Javier Vicente Vallejo via ZDI.

6) Peter Vregdenhil via iDefense.
7) Reported by the vendor.
8) The vendor credits Thomas Garnier, SkyRecon Systems.
9) The vendor credits Josh Bressers, Red Hat.

Changelog
Further details available in Customer Area

Original Advisory
Secunia Research:
http://secunia.com/secunia_research/2008-14/

Adobe:
http://www.adobe.com/support/security/bulletins/apsb08-19.html
http://www.adobe.com/support/security/bulletins/apsb09-04.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-08-072/
http://www.zerodayinitiative.com/advisories/ZDI-08-073/
http://www.zerodayinitiative.com/advisories/ZDI-08-074/

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=754
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=755
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=756

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area