ID: 3418
Date: 08 October 2007 21:21
Title: 3418 - Vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat
Abstract: Description of a workaround to resolve an Adobe critical product vulnerability
Vendors affected:Adobe
Applications affected:Adobe Reader and Acrobat
Advisory type: Information
Availability of fix: Available
Type of fix: Work around
Source: Adobe
Reliability of source: Trusted
Source URL: http://www.adobe.com/support/security/advisories/apsa07-04.html
Security advisory
Workaround available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat
Release date: October 5, 2007
Vulnerability identifier: APSA07-04
CVE number: CVE-2007-5020
Platform: Windows XP (Vista users are not affected) with Internet Explorer 7 installed
Affected Software VersionsAdobe Reader 8.1 and earlier versions
Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions
Adobe Acrobat 3D
Summary
Adobe is aware of a recently published report of a critical security vulnerability in Adobe Reader and Acrobat.
Solution
To protect Windows XP systems with Internet Explorer 7 installed from this vulnerability, administrators can disable the mailto: option in Acrobat, Acrobat 3D 8 and Adobe Reader by modifying the application options in the Windows registry. Additionally, these changes can be added to network deployments to Windows systems.
Disclaimer: This procedure involves editing the registry. Adobe doesn't provide support for editing the registry, which contains critical system and application information. Make sure to back up the registry before modifying it. For more information about the registry, refer to Windows Help.
Exit Adobe Reader or Acrobat.
Open RegEdit.
On Windows XP, go to Start > Run, type in regedit and click OK.
Choose File > Export.
Select Local Disk C for the Save in: location.
Type backup for File Name.
Choose All for the Export Range.
Click Save.
Navigate to the appropriate registry key:
Acrobat:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\8.0\FeatureLockDown\cDefaultLaunchURLPerms
Reader:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\8.0\FeatureLockDown\cDefaultLaunchURLPerms
If tSchemePerms is set as follows:
version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|
disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:2|file:2
To Disable mailto (recommended)
Modify tSchemePerms by setting the mailto: value to 3:
version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|
disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2
To set mailto to prompt
Modify tSchemePerms by removing the mailto: value:
version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|
disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|file:2
Close RegEdit.
Restart the application.
For users who are unable to implement the above workaround, the Secure Software Engineering team is working with the Adobe Reader Engineering team on an update to versions 8.1 of Adobe Reader and Acrobat that will resolve this issue. A security bulletin will be published on http://www.adobe.com/support/security as soon as that update is available. We expect the update to be available before the end of October.
In the meantime, Adobe recommends that Acrobat and Reader customers use caution when receiving unsolicited e-mail communications requesting user action, such as opening attachments or clicking Web links.
All documented security vulnerabilities and their solutions are distributed through the Adobe security notification service. You can sign up for the service at the following URL: http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert.
Severity RatingAdobe categorizes this as a critical issue and recommends that users apply the workaround described above for their product installations.
AcknowledgmentsAdobe would like to thank pdp of gnucitizen.org for reporting this vulnerability and for working with Adobe to help protect our customers' security.
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.