search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Adobe Acrobat contains a remotely exploitable buffer overflow

Vulnerability Note VU#896220

Original Release Date: 2005-08-16 | Last Revised: 2005-09-08

Overview

A buffer overflow in Adobe Acrobat/Acrobat Reader may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition

Description

Adobe Acrobat is a suite of applications that allow users to manipulate PDF (Portable Document Format) files. A buffer within a core plug-in for Adobe Acrobat and Acrobat Reader can be overwritten using a specially-crafted PDF document.

For more information refer to Adobe Security Advisory 321644.

Impact

If a remote attacker can persuade a user to access a specially crafted PDF file, that attacker may be able to execute arbitrary code or crash the Adobe Acrobat/Acrobat Reader process.

Solution

Upgrade to unaffected version
Upgrade to unaffected versions of Adobe Acrobat and Acrobat Reader. For a list of unaffected versions please see Adobe Security Advisory 321644.

Do not accept PDF files from untrusted sources

Exploitation occurs by accessing a specially crafted PDF file. By only accessing PDF files from trusted or known sources, the chances of exploitation are reduced.

Vendor Information

896220
 
Expand all

Adobe Affected

Notified:  August 12, 2005 Updated: August 16, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please refer to http://www.adobe.com/support/techdocs/321644.html

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Software, Inc. Affected

Updated:  September 08, 2005

Status

Affected

Vendor Statement

Updated Adobe Acrobat Reader packages for Red Hat Enterprise Linux Extras (version 3 and version 4) to correct this issue are available at the URL below and by using the Red Hat Network 'up2date' tool.


http://rhn.redhat.com/errata/RHSA-2005-750.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.adobe.com/support/techdocs/321644.html

Acknowledgements

This vulnerability was reported by Adobe Systems.

This document was written by Jeff Gennari.

Other Information

CVE IDs: CVE-2005-2470
Severity Metric: 12.91
Date Public: 2005-08-16
Date First Published: 2005-08-16
Date Last Updated: 2005-09-08 20:26 UTC
Document Revision: 38

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis