General information

In February, Adobe issued its 7th security bulletin in 2010. The updates resolve two holes in Adobe Reader and Acrobat 9.3.0 and 8.2.0 and earlier versions. Among these, a critical flaw (CVE-2010-0188) potentially allows hackers to take remote control of the affected computers. By the time of the update’s issue, exploit code and detailed information about the hole had not been disclosed.

In early and middle March, however, lots of malicious codes embedded in .pdf files exploiting the above hole have been found. The exploit code has also been published on the Internet.

Technical details

The hole stems from Libtiff, an open source code library used by Adobe Reader and Acrobat to process .TIFF images (Tagged Image File Format). What’s worth saying is that this hole is one of those found in Libtiff in 2006 (CVE-2006-3459).

The hole is due to the use of memcpy() function with the copied byte exceeding the destination buffer’s size. This will lead to a stack overflow, and the returned address will be changed.

There’s a simple way to exploit this flaw: insert Javascript code into .pdf files to employ heapspray technique. After creating a large heap memory containing shellcode, hackers just need to overflow the stack address pointing to that heap, for example 0x0c0c0c0c. And when the program is returned to this address, shellcode will be executed. However, this method does not work in case Javascript in Adobe is disabled.

Also, there is a more applicable attack method which is already used in the aforementioned exploit code. Specifically, the data overflown on the stack are specially crafted so that when being referred to, these data bytes will be arranged in a way that forms a special code to search and copy the shellcode lying somewhere on the process’s memory and then execute it.

After memcpy() function call, the stack is overflown with specially crafted data in the input file.


In fact, these are the two exploit methods used by the already spread malwares. These exploit codes all successfully run on Windows XP SP2 and Windows XP SP3. Specially, the threats not only come from Adobe Reader and Acrobat but from Adobe Plugin for web browsers as well. This means malwares could be easily executed when users click on a link to malicious .pdf file. That’s why this hole is rated critical and has become hackers’ favored attack target in recent time.

The patch for this vulnerability has been released since February, so users should immediately update to Adobe Reader 8.2.1 or 9.3.1 to protect their computers.

Author: Le Manh Tung

Leave a Reply

Name (required)
Mail (hidden) (required)
Text to Identify

Popup Date Time Portlet

Blogs Aggregator

Recent Posts

Blog Category Portlet


Store Portlet


Vote Baby Portlet