===================================================================== CERT-Renater Note d'Information No. 2005/VULN246 _____________________________________________________________________ DATE : 07/04/2005 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Adobe Reader v7.0 and earlier. ====================================================================== Title ===== NISCC Vulnerability Advisory 482323/NISCC/ADOBE - Adobe Reader v7.0 and earlier. Detail ====== A vulnerability within the Adobe Reader control have been identified; under certain circumstances if the control is placed on a web page, it is possible to discover the existence of local files by monitoring the behaviour of certain methods. NISCC Vulnerability Advisory 482323/NISCC/ADOBE Vulnerability Issues with Adobe Reader Version Information - ------------------- Advisory Reference 482323/NISCC/ADOBE Release Date 1 April 2005 Last Revision 22 March 2005 Version Number 1.0 What is affected? - ----------------- Adobe Reader v7.0 and earlier. Impact - ------ If exploited it may be possible to discover the existence of local files on an end-user system. Severity - -------- This is rated as low. Summary - ------- A vulnerability within the Adobe Reader control have been identified; under certain circumstances if the control is placed on a web page, it is possible to discover the existence of local files by monitoring the behaviour of certain methods. Adobe has solutions available that can rectify these issues; please refer to the 'Solution' section for further information. [Please note that revisions to this advisory will not be notified by email. All subscribers are advised to regularly check the UNIRAS website for updates to this notice.] Details - ------- CVE ID: CAN-2005-0035 The vulnerability is within the Adobe Reader control; if the control is placed on a web page, it is possible to discover the existence of local files by calling the .LoadFile(filename) method and monitoring its behaviour. An attacker could then use the information gathered to help prepare for a more serious attack. However the impact is minimised due to the fact that the existence of local files can only be discovered if the complete filenames and paths are known in advance by the attacker. Mitigation - ---------- Upgrade to the latest stable version of the Adobe Reader software. Solution - -------- Upgrade to Adobe Reader v7.0.1. Vendor Information - ------------------ Adobe is headquartered in San Jose, California and was founded in 1982. For further information, please visit their website at http://www.adobe.com/. Credits - ------- The NISCC Vulnerability Team would like to thank CESG for reporting the issue to us and Adobe for their co-operation with the handling of this vulnerability. What is NISCC? - -------------- For further information regarding the UK National Infrastructure Security Co-ordination Centre, please visit http://www.niscc.gov.uk/. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither shall NISCC accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. © 2005 Crown Copyright ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================