In-Depth

In Brief

Problems with Adobe Acrobat, Microsoft .NET, and phpMyAdmin

• By Mathew Schwartz
• 01/05/2005

Adobe Acrobat and Reader Vulnerable to Information Exposure

Adobe’s widely installed Adobe Acrobat 6.x and the free Adobe Acrobat Reader 6.x both have multiple vulnerabilities which could expose sensitive information, or give an attacker access to a system.

Secunia rates the vulnerabilities as “highly critical.” Adobe released version 6.0.3 for both affected programs to fix the flaws.

Secunia says the first vulnerability is “a format string error within the eBook plug-in when parsing ‘.etd’ files.” Notably, the “title” and “baseURL” fields in the eBook could be written to cause Acrobat to execute arbitrary code.

The second vulnerability concerns libpng routines, and a well-known PNG image vulnerability there that affects many other products. Using the vulnerability, an attacker could “compromise a vulnerable system,” says Secunia.

“Currently there are no known malicious exploits of these vulnerabilities,” notes Adobe. Nevertheless, it recommends applying the update immediately.

- - -

Vulnerability for Adobe Acrobat Reader on Unix

The Unix version of the free Adobe Acrobat Reader is vulnerable to a buffer overflow. Vulnerability information provider Secunia rates the problem as “highly critical.”

The problem affects Adobe Acrobat Reader 5.x, specifically a boundary error in the “mailListIsPdf()”function, which checks input files.

An attacker could exploit this vulnerability by sending an e-mail with a malicious PDF document either attached, or linked to in the body of the e-mail. “Successful exploitation allows execution of arbitrary code,” says Secunia.

Adobe released an update, 5.0.10, to fix the vulnerability.

- - -

Microsoft .NET Framework Updated Against JPEG Weakness

Microsoft released several more security updates to counter a “critical” buffer overrun vulnerability due to how Windows operating systems and programs process JPEGs. The vulnerability could allow an attacker to execute arbitrary code. Quite a number of Microsoft programs contain the vulnerability.

While Microsoft has already issued some patches, it released standalone security updates for three programs: the Microsoft .NET Framework version, for both version 1.0 Service Pack 2 and version 1.1; Microsoft Visual FoxPro 8.0 and 8.0 runtime, and Windows Messenger 5.1. Microsoft also updated its Enterprise Update Scanning tool to detect and deploy these updates.

- - -

phpMyAdmin Problems

The popular, and free, Web-based MySQL database administration tool phpMyAdmin contains two vulnerabilities rated by Secunia as “highly critical.”

The vulnerabilities may “allow command execution and file disclosure,” according to phpMyAdmin’s developers. Still, “both vulnerabilities can be exploited only on a Web server where PHP safe mode is off.”

The command-execution vulnerability works on a system “where external, MIME-based transformations are activated,” say developers. In phpMyAdmin 2.6.0-pl2, an attacker could execute a shell command by loading a specially crafted value into MySQL data. “The vulnerability has been reported in versions 2.6.0-pl2 up to 2.6.1-rc1,” says Secunia.

For the file disclosure vulnerability, “the SQL localfile variable is not sanitized,” meaning on PHP installations with an active UploadDir mechanism, someone could use specially crafted input to call read_dump.php, thus disclosing database files. Still, “successful exploitation requires access to the phpMyAdmin interface, and that PHP safe mode is disabled and the UploadDir mechanism to be active,” says Secunia. “The vulnerability has been reported in versions 2.4.0 up to 2.6.1-rc1.”

Note both vulnerabilities are fixed in 2.6.1-rc1, but developers recommend most users wait for the official 2.6.1 release. Until its release, the developers also recommend users switch PHP to safe mode. “If not feasible, you should deactivate MIME-based external transformations and the UploadDir mechanism.”