INFORMATION BULLETIN

S-030: Adobe Security Update

[APSB07-18]

[***** Start APSB07-18 *****]

Security bulletin

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

Release date: October 22, 2007

Vulnerability identifier: APSB07-18

CVE number: CVE-2007-5020

Platform: Windows XP or Windows 2003 (Vista users are not affected) with Internet Explorer 7 installed

Affected software versions: Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier
Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier

Summary

Critical vulnerabilities have been identified in Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. This issue only affects customers on Windows XP or Windows 2003 with Internet Explorer 7 installed. A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities. It is recommended that affected users update to Adobe Reader 8.1.1 or Acrobat 8.1.1. This is an update to resolve the issue previously reported in Security Advisory APSA07-04.

Solution

Adobe strongly recommends upgrading to Adobe Reader 8.1.1 or Acrobat 8.1.1. Users can utilize the product's automatic update facility. The default installation configuration runs automatic updates on a regular schedule, and can be manually activated by choosing Help > Check For Updates Now.

Alternatively, the Adobe Reader 8.1.1 update files can be manually downloaded and installed from:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
The Acrobat 8.1.1 update files can be downloaded and installed from:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Microsoft may also be providing an update to resolve this issue at a later date. Please refer to Microsoft Security Advisory 943521 for more information.

Adobe will be providing an update to Adobe Reader 7.0.9 and Acrobat 7.0.9 at a later date. For customers who can not upgrade to Adobe Reader 8.1.1 or Acrobat 8.1.1, administrators can disable the mailto: option in Acrobat, Acrobat 3D and Adobe Reader by modifying the application options in the Windows registry. Additionally, these changes can be added to network deployments to Windows systems.

Disclaimer: This procedure involves editing the registry. Adobe doesn't provide support for editing the registry, which contains critical system and application information. Make sure to back up the registry before modifying it. For more information about the registry, refer to Windows Help.

1. Exit Adobe Reader or Acrobat.
2. Open RegEdit. On Windows, go to Start > Run, type in regedit and click OK.
3. Choose File > Export.
4. Select Local Disk C for the Save in: location.
5. Type backup for File Name.
6. Choose All for the Export Range.
7. Click Save.
8. Navigate to the appropriate registry key:
   

   NOTE: When editing the key values for Adobe Reader and Acrobat 7.0.9, Regedit will launch a Edit Binary Value window. Be sure to edit the values below using the right panel of the window.

   Acrobat:
   HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe Acrobat\7.0\FeatureLockDown\cDefaultLaunchURLPerms
   
   Reader:
   HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\7.0\FeatureLockDown\cDefaultLaunchURLPerms
9. If tSchemePerms is set as follows:
   version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-
   itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:2|file:2
10. To Disable mailto (recommended)
    Modify tSchemePerms by setting the mailto: value to 3:
    version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-
    itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2
11. To set mailto to prompt
    Modify tSchemePerms by removing the mailto: value:
    version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-
    itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|file:2
12. Close RegEdit.
13. Restart the application.

Severity rating

Adobe categorizes this as a critical issue and recommends that affected users update their product installations.

Details:

This Security Bulletin addresses the issue previously reported in Security Advisory APSA07-04. Critical vulnerabilities have been identified in Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. This issue only affects customers on Windows XP or Windows 2003 with Internet Explorer 7 installed. A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities. This issue is remotely exploitable.

It is recommended that affected users update to Adobe Reader 8.1.1 or Acrobat 8.1.1. Adobe will be providing an update to Adobe Reader 7.0.9 and Acrobat 7.0.9 at a later date. Adobe Reader 6.X and Acrobat 6.X are not vulnerable to this issue.

Acknowledgments

Adobe would like to thank pdp of gnucitizen.org for reporting this vulnerability and for working with Adobe to help protect our customers' security.

[***** End APSB07-18 *****]

   

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/