Software Engineering Institute

Adobe Reader is software designed to view Portable Document Format (PDF) files. Adobe Acrobat is software that can create PDF files. Adobe Reader and Acrobat support JavaScript in PDF documents. According to the Acrobat Forms JavaScript Object Specification, the util.printf() function "... will format one or more values as a string according to a format string. This is similar to the C function of the same name."

Adobe Reader and Acrobat fail to sufficiently validate input to the util.printf() JavaScript function, which can result in a stack buffer overflow. Exploit code for this vulnerability is publicly available.

By convincing a user to open a specially-crafted PDF file, a remote, unauthenticated attacker may be able to execute arbitrary code. This can happen in several ways, such as opening an email attachment or viewing a web page.

Apply an update
This issue is addressed in Adobe Reader and Adobe Acrobat 8.1.3. More details are available in Adobe Security Bulletin APSB08-019. Please also consider the following workarounds to help mitigate this and other vulnerabilities in Adobe Reader:

Disable the displaying of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser may mitigate this vulnerability. If this workaround is applied to updated versions of the Adobe reader, it may mitigate future vulnerabilities.

To prevent PDF documents from automatically being opened in a web browser:

1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.