Update Protection against Adobe Reader and Acrobat Crafted URI Action in PDF File Cross-Site Scripting Vulnerability (APSB11-03)

Vulnerability
Protection

Check Point Reference:	CPAI-2011-033
Date Published:
Severity:
Last Updated:
Source:	Adobe Security Bulletin APSB11-03
Industry Reference(s):	CVE-2011-0587
Protection Provided by:	Security Gateway R75 R71 R70 IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Adobe Reader X (10.0) and earlier versions for Windows and Macintosh Adobe Reader 9.4.1 and earlier versions for Windows, Macintosh and UNIX Adobe Acrobat X (10.0) and earlier versions for Windows and Macintosh
Vulnerability Description A cross-site scripting (XSS) vulnerability has been discovered in Adobe Reader and Acrobat. Adobe Reader and Acrobat is a family of computer programs developed by Adobe Systems, designed to view, create, manipulate and manage files in Adobe's core technology, the Portable Document Format (PDF), a format that has become the de facto standard in the electronic document exchange. A remote attacker could exploit these issues to execute a cross-site scripting attack or cause a denial of service condition via a malformed PDF file.

Update/Patch Available
Adobe has released an advisory to address this vulnerability.

Vulnerability Details
PDF files can contain OpenActions, which are actions that are executed when a document is opened. URI actions are a type of OpenAction that cause a specified URI to be resolved. The vulnerability occurs when Adobe Reader opens a PDF file with a specially crafted URI action. Successful exploitation of this issue will allow the attacker to inject arbitrary web script or HTML to the vulnerable system.

Protection Overview
This protection will detect and block the transferring of malformed PDF files over HTTP.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection taband select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R75

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > IPS Software Blade > Application Intelligence > Content Protection > Adobe Reader and Acrobat.
2. In the right pane, double-click the Adobe Reader Crafted URI Action in PDF File Cross-Site Scripting (APSB11-03) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Adobe Reader Violation
Attack Information: Adobe Reader crafted URI action in PDF file cross-site scripting (APSB11-03)

Security Gateway: R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Content Protection > Adobe Reader and Acrobat.
2. In the right pane, double-click the Adobe Reader Crafted URI Action in PDF File Cross-Site Scripting (APSB11-03) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the PDF Skimmer protection group.
3. Click Adobe Reader and Acrobat Crafted URI Action in PDF File Cross-Site Scripting (APSB11-03) (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: Badfiles PDF Skimming
Description: Adobe Reader and Acrobat Crafted URI Action in PDF File Cross-Site Scripting (APSB11-03)

Legal Notice for Threat Center Advisories