HighProventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects a file with corrupt embedded JBIG2 data that could cause a buffer overflow in vulnerable versions of Acrobat Acrobat and Adobe Reader, leading to possible execution of remote code specified by an attacker.
High
Proventia Desktop: 2370, Proventia Network IPS: XPU 29.030, RealSecure Server Sensor: XPU 29.030, RealSecure Network: XPU 29.030, Proventia-G 1.1 and earlier: XPU 29.030, Proventia Network MFS: XPU 29.030, Proventia Network IDS: XPU 29.030, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.2370, IBM Security Server Protection for Windows: 2.0.300.2370, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 29.030
Novell Linux Desktop: 9, Adobe Acrobat Reader: 7.0, Adobe Acrobat Reader: 7.0.1, Adobe Acrobat Reader: 7.0.2, RedHat RHEL Extras: 3, RedHat RHEL Extras: 4, Adobe Acrobat Reader: 8.0, RedHat RHEL Desktop Supplementary: 5 Client, RedHat RHEL Supplementary: 5 Server, Adobe Acrobat Reader: 8.1.2, Adobe Acrobat Reader: 7.0.3, Adobe Acrobat Reader: 7.0.4, Adobe Acrobat Reader: 7.0.5, Adobe Acrobat Reader: 7.0.6, Adobe Acrobat Reader: 7.0.7, Adobe Acrobat Reader: 7.0.8, Adobe Acrobat Reader: 7.0.9, Adobe Acrobat Reader: 8.1, Novell OpenSUSE: 10.3, Adobe Acrobat Reader: 8.1.1, Adobe Acrobat: 7.0 Standard, Adobe Acrobat: 7.0 Professional, Adobe Acrobat: 7.0.1 Standard, Adobe Acrobat: 7.0.1 Professional, Adobe Acrobat: 7.0.2 Standard, Adobe Acrobat: 7.0.2 Professional, Adobe Acrobat: 7.0.3 Standard, Adobe Acrobat: 7.0.3 Professional, Adobe Acrobat: 7.0.4 Standard, Adobe Acrobat: 7.0.4 Professional, Adobe Acrobat: 7.0.5 Standard, Adobe Acrobat: 7.0.5 Professional, Adobe Acrobat: 7.0.6 Standard, Adobe Acrobat: 7.0.6 Professional, Adobe Acrobat: 7.0.7 Standard, Adobe Acrobat: 7.0.7 Professional, Adobe Acrobat: 7.0.8 Standard, Adobe Acrobat: 7.0.8 Professional, Adobe Acrobat: 7.0.9 Standard, Adobe Acrobat: 7.0.9 Professional, Novell OpenSUSE: 11.0, Adobe Acrobat: 8.0 Standard, Adobe Acrobat: 8.1 Standard, Adobe Acrobat: 8.1.1 Standard, Adobe Acrobat: 8.1.2 Standard, Adobe Acrobat: 8.0 Professional, Adobe Acrobat: 8.1 Professional, Adobe Acrobat: 8.1.1 Professional, Adobe Acrobat: 8.1.2 Professional, Novell SUSE Linux Enterprise Desktop: 10 SP2, RedHat RHEL Supplementary: 5.3.z EUS, Adobe Acrobat: 9.0 Professional, Adobe Acrobat: 9.0 Professional Extended, Adobe Acrobat Reader: 9.0, Adobe Acrobat: 9.0 Standard, RedHat Red Hat Enterprise Linux: 4.7.z Extras, Turbolinux Client: 2008
Unauthorized Access Attempt
Adobe Acrobat and Reader are vulnerable to a buffer overflow, caused by improper bounds checking when parsing a malformed JBIG2 image stream embedded within a PDF document. By persuading a victim to open a malicious PDF file, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the victim or cause the application to crash.
Refer to APSB09-03 for patch, upgrade or suggested workaround information. See References.
For other distributions:
Apply the appropriate update for your system. See References.
APSA09-01
Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and Acrobat
http://www.adobe.com/support/security/advisories/apsa09-01.html
Shadowserver Foundation Blog, February 19, 2009, at 03:03 PM
When PDFs Attack - Acrobat [Reader] 0-Day On the Loose
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
IBM Internet Security Systems Protection Alert - Feb. 20, 2009
Adobe Reader and Adobe Acrobat JBIG2 Image Stream Remote Code Execution
http://www.iss.net/threats/319.html
US-CERT Technical Cyber Security Alert TA09-051A
Adobe Acrobat and Reader Vulnerability
http://www.us-cert.gov/cas/techalerts/TA09-051A.html
APSB09-03
Security Updates available for Adobe Reader 9 and Acrobat 9
http://www.adobe.com/support/security/bulletins/apsb09-03.html
NORTEL BULLETIN ID: 2009009391, Rev 1
Nortel Response to Adobe APSA09-01 - Buffer overflow issue in v9.0 and earlier of Adobe Reader and Acrobat:
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=844248&poid=
ISS X-Force
Adobe Acrobat and Reader JBIG2 image stream buffer overflow
http://www.iss.net/security_center/static/48825.php
CVE
CVE-2009-0658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0658