Adobe has patched two bugs in its Acrobat Reader application that could allow an attacker to take over a user's system via a malicious PDF attached to an e-mail message. The bugs affect Windows, Mac OS X and Unix.
Security research company iDefense warned of the bug affecting Windows and Mac in an advisory published on the Bugtraq mailing list late on Tuesday. The problem is a format string vulnerability in version 6.0.2 of Adobe Reader, allowing users to craft a special .etd file that could cause an invalid memory access and allow for the execution of malicious code with the privileges of the user. Reader uses .etd files in handling eBooks.
The bug could be exploited by an e-mail containing either a malicious PDF file or a link to such a file, according to iDefense. The company said earlier versions of Acrobat Reader 6 could be vulnerable and said the bug is likely to also affect Adobe Acrobat, the application used to create PDF files.
Adobe released a fix in version 6.0.3 of both Acrobat and Acrobat Reader for Windows and Mac OS X. All the updates are available from Adobe's website.
IDefense said users could also work around the problem by deleting the file C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\eBook.api, which makes Reader and Acrobat unable to handle eBooks.
A similar bug affects Unix. A boundary error in the mailListIsPdf() function, which checks to see whether a document in an e-mail is a PDF file, unsafely copies user-supplied data into a fixed-sized buffer, according to iDefense.
This could allow an attacker to cause a buffer overflow and execute malicious code, the company said. Adobe has fixed the bug in Acrobat Reader version 5.0.9 for Unix, available on its site. iDefense said previous versions of Reader 5 are likely to also be affected. In its advisory, iDefense included a shell script patch users can apply for additional protection.
Several bugs were also reported in Ethereal, a network software and protocol development, troubleshooting and analysis tool. The bugs can make the application hang, crash or otherwise disrupt a system, and may also allow for malicious code execution, Ethereal's developers said.
"It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file," the project said in a Wednesday advisory.
The bugs affect versions 0.9.0 up to and including 0.10.7, and are fixed in version 0.10.8. Secunia, which publishes an independent security database, said the problems were "highly critical."