Adobe has announced the existence of no less than five local and remote code execution vulnerabilities in the 8.1.2 and earlier versions of Adobe Reader and Acrobat. Security patches have been released for all of them along with an advisory, which also includes a privilege escalation and a denial of service vulnerability.

One of the most critical and exploitable vulnerabilities was discovered by Damian Frizza from the CORE IMPACT Exploit Writers Team at Core Security Technologies and is identified as CVE-2008-2992. The vulnerability consists of a buffer overflow occurring during execution of the JavaScript printf function. Successful exploitation allows an attacker to remotely execute arbitrary code on the system under the privileges of the current user.

This can be achieved by serving a maliciously crafted PDF file to a user. The PDF file would be required to have the JavaScript exploit code embedding, so disabling JavaScript in the Reader or Acrobat applications is a workaround. However, this would also prevent legit PDFs that contain JavaScript from displaying and functioning correctly.

“As with many of today’s ubiquitous client-side applications, the sheer complexity of Adobe Reader creates a broad surface for potential vulnerabilities and, in this case, Adobe’s inclusion of a fully fledged JavaScript engine introduces the same types of implementation bugs commonly found in such sophisticated client-side programs,” noted Ivan Arce, Chief Technology Officer at Core Security Technologies.

This vulnerability was discovered while investigating an already known bug in Foxit Reader, another PDF viewing application. “While investigating the feasibility of exploiting the vulnerability previously disclosed in Foxit Reader (CVE-2008-1104) we found that Adobe Reader was affected by the same bug,” is noted in the CORE advisory.

The other vulnerabilities disclosed by Adobe in their advisory are identified in the Common Vulnerabilities and Exposures List as CVE-2008-4812, CVE-2008-4813, CVE-2008-4814, CVE-2008-4815, CVE-2008-4816, CVE-2008-4817 and CVE-2008-2549. “Adobe is not aware of any reports of these issues being exploited in the wild,” wrote the Product Security Incident Response Team (PSIRT) on their official blog. "These issues do not apply to Adobe Reader 9 or Acrobat 9, so no action is required for customers who already have Adobe Reader 9 or Acrobat 9 installed," they add.