Adobe Acrobat And Reader AcroJS Heap Corruption Vulnerability
9 Nov. 2008
Adobe Reader is "a program for viewing Portable Document Format (PDF) documents". Remote exploitation of a heap corruption vulnerability in Adobe Systems Inc.'s Acrobat Professional and Reader could allow an attacker to execute arbitrary code with the privileges of the current user.
* Acrobat Professional version 8.1.2
*Adobe Reader version 8.1.2
The vulnerable code is an AcroJS function available to scripting code inside of a PDF document. This function is used for HTTP authentication. By passing a long string to this function, it is possible to corrupt heap memory in such a way that may lead to the execution of arbitrary code.
Exploitation of this vulnerability would allow an attacker to execute arbitrary code with the privileges of the current user. In order to exploit this vulnerability, an attacker would have to convince the target to open a maliciously constructed file, or to visit a website with an embedded PDF. If the user has the Adobe Reader Browser plugin enabled, the PDF file will render inside of the browser.