Adobe Reader and The Unspecified Vulnerability

By Alin Rad Pop

Adobe Reader has been recently updated to version 9.3.1, fixing a vulnerability for which no details were provided. Quoting the vendor: "In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system."

At the start of our analysis of the fixes, AcroForm.api was determined to be modified by the update, the module being used by Adobe Reader when handling actions associated with PDF forms. After having a look at the changed code, it became very clear that the interesting changes were made to an included version of the open source libtiff library. The library was further determined to be used by Adobe Reader for rendering TIFF images inserted into image form fields.

While the version string was omitted from the included library, source code changes between minor versions point to 3.8.1. Surprisingly enough, libtiff 3.8.1 originates from 2006 and contains a reasonable amount of vulnerabilities, including the ones described in: SA21304.

Soon after the finding, a TIFF file exploiting the stack-based buffer overflow registered under CVE-2006-3459 was internally developed and confirmed to allow code execution in Adobe Reader version 9.3.0.

It's currently not known for a fact if CVE-2010-0188 was assigned by Adobe for the TIFF vulnerabilities or whether they were silently fixed. However, it's funny how an analysis targeted towards one unspecified vulnerability ended up revealing multiple documented vulnerabilities originating from 2006 and, furthermore, all related to a file format currently under Adobe's control.

Stay Secure,

Alin Rad Pop,
Senior Security Specialist