Adobe Suggests Workaround for New Reader Zero-Day

Adobe is still investigating reports of a new code execution vulnerability in Adobe Reader and Acrobat, but recommends blacklisting the affected JavaScript function in the meantime.

The flaw was reported as a zero-day on Wednesday, when someone posted a proof-of-concept exploit on the Full Disclosure mailing list.

However, it appears the issue has been known as a Denial of Service (DoS) condition since almost a year ago, when it was disclosed on a Russian-language blog.

Adobe confirmed the DoS attack vector, but has not yet verified if the bug can be exploited to execute arbitrary code.

Nevertheless, French vulnerability research vendor VUPEN Security has published an advisory suggesting that it is possible.

The vulnerability is caused by a heap corruption error in the "EScript.api" plugin, triggered when a PDF document calls the "printSeps()" undocumented function.

As a temporary workaround Adobe recommends adding this function to the JavaScript API blacklist used by Adobe Reader and Acrobat.

On Windows, this can be achieved via two separate registry entries, one for enterprise policies and one used by Adobe's patching process.

"The Adobe blacklist is modified by Adobe Reader patches whenever an API is deemed vulnerable. APIs are also removed from the blacklist whenever a fix for a vulnerability is provided by the current patch," the company explains.

The blacklisting can be done by creating the key "tBlackList" under "HKLM\SOFTWARE\Adobe\<product>\<version>\JavaScriptPerms" with a value of "Doc.printSeps" (case sensitive).

On 64-bit flavors of Windows the location is "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\<product>\<version>\JavaScriptPerms".

The location of the enterprise blacklist is "HKLM\SOFTWARE\Policies\Adobe\<product>\<version>\FeatureLockDown\cJavaScriptPerms", however, entries added here are not automatically removed by Adobe's patches.

Therefore, when a fix is released, in order to restore the functionality provided by printSeps(), the key will have to be removed manually.

Instructions to get the same results on Mac and Linux versions of the products are provided on the Adobe Product Security Incident Response Team (PSIRT) blog.