Adobe Reader .etd file format string vulnerability

Date Discovered: December 14, 2004
Date Published: January 6, 2005
Last Updated: January 6, 2005

Vulnerability Description

Vulnerability ID:         32067
Discovered by:            iDEFENSE
Exploitable Locally:     No
Exploitable Remotely: Yes
Impact:                        Remote attackers can execute arbitrary code.
Root Cause:                 Software Vulnerability

Adobe Reader contains a vulnerability that can allow a remote attacker to execute arbitrary code. The vulnerability exists in the parsing of .etd files used in eBook transactions. Remote attackers can use a .etd file containing a format string in the title or baseurl fields to cause an invalid memory access and execute arbitrary code under the privileges of the local user.

Affected Technologies

Adobe Systems Incorporated: Adobe Reader 6
Adobe Systems Incorporated: Adobe Reader 6.0
Adobe Systems Incorporated: Adobe Reader 6.0.1
Adobe Systems Incorporated: Adobe Reader 6.0.2

References

Mitre CVE: CAN-2004-1153

More information on CA Vulnerability Information Center:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32067

Computer Associates – the Trusted Source of Security Knowledge