Earlier this month I posted about the Unpatched Acrobat PDF Backdoor and suggested a fix by disabling the mailto: option. We now have an official patch release from Adobe; with an upgrade to Adobe Reader 8.1.1.
Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat [1]
…
Summary
Critical vulnerabilities have been identified in Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. This issue only affects customers on Windows XP with Internet Explorer 7 installed. A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities. It is recommended that affected users update to Adobe Reader 8.1.1 or Acrobat 8.1.1. This is an update to resolve the issue previously reported in Security Advisory APSA07-04.
…
This fixes this URI issue, but for a more complete solution we await a patch from Microsoft;
Microsoft may also be providing an update to resolve this issue at a later date. Please refer to Microsoft Security Advisory 943521 for more information. [1]
The 8.1.1 update can be downloaded from Adobe Downloads.
The update is ReaderUpd811_all_incr.msp and must be run as an Administrator, the .msp removes the “run as” option found with an exe file.
The Acrobat 8.1 clients will not see this as an update via the auto-update process (not sure why). This would be because it’s not there yet, as we are told by Kurt Foss “and soon also available from the automatic product update feature“. Hopefully it will be there soon.
UPDATE 2007-Oct-24 Now available via auto-update.
[1] Security Advisories : APSB07-18: Adobe Reader and Acrobat vulnerability (2007-Oct-22) [Adobe]
[2] Microsoft Security Advisory (943521) URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 Could Allow Remote Code Execution (2007-Oct-10) [MS Technet]
[3] Adobe Reader 8.1 update available (2007-Oct-22) [SANS]
PDF mailto exploit documents in the wild
Published: 2007-10-23,
Last Updated: 2007-10-23 20:16:52 UTC
by Adrien de Beaupre (Version: 2)
http://isc.sans.org/diary.html?storyid=3537