Update Protection against Multiple Adobe Acrobat Vulnerabilities
| Check Point Reference: | CPAI-2007-008 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | FrSIRT/ADV-2007-0032 | |
| Industry Reference(s): | CVE-2007-0044 CVE-2007-0045 CVE-2007-0046 CVE-2007-0047 CVE-2007-0048 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Adobe Reader version 7.0.8 and prior Adobe Acrobat Standard version 7.0.8 and prior Adobe Acrobat Professional version 7.0.8 and prior Adobe Acrobat Elements version 7.0.8 and prior | ||
| Vulnerability Description Adobe Acrobat Reader is a popular product that allows the viewing, searching, digitally signing, verifying and printing of Adobe Portable Document Format (PDF) files. Adobe Acrobat Reader is prone to multiple vulnerabilities. An attacker can exploit these vulnerabilities to cause denial of service, execute arbitrary code and take control of an affected system. |
||
|
Update/Patch Available Upgrade to Adobe Reader version 8: http://www.adobe.com/products/acrobat/readstep2.html |
|
|
Vulnerability Details Several vulnerabilities were reported in Adobe Acrobat Reader: CVE-2007-0044: A vulnerability in Adobe Acrobat Reader browser plug-in allows remote attackers to force the browser to make unauthorized requests of arbitrary URLs via a specially crafted URL in several request parameters. This allows attackers to perform CSRF attacks. CVE-2007-0045: An input validation error in Adobe Acrobat Reader browser plug-in allows remote attackers to conduct cross-site scripting via a specially crafted '.PDF' URL. CVE-2007-0046: Double free error in the Adobe Acrobat Reader browser plug-in when handling malformed parameters passed to a PDF document allows remote attackers to execute arbitrary code via a specially crafted URL. CVE-2007-0047: A flaw in Adobe Acrobat Reader browser plug-in in Microsoft Internet Explorer, allows remote attackers to inject arbitrary HTTP headers via CRLF sequences. |
Protection Overview
The Update enables the HTTP Worm Catcher to detect and block these vulnerabilities based on pre-defined worm signatures.
In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on January 21, 2007 includes the following protections:
Vector Markup Language (VML) Remote Code Execution Vulnerability (MS07-004) - CPAI-2007-007
Multiple Adobe Acrobat Vulnerabilities (CPAI-2007-008)
VPN-1 NGX R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > Malicious Code > General HTTP Worm Catcher.
2. In the General HTTP Worm Catcher configuration pane, under General HTTP Worm Catcher Settings > Mode, check Active.
3. Enable the following patterns:
Acrobat Reader denial of service
Acrobat Reader UXSS vulnerability
Acrobat Reader UXSS remote code execution
Acrobat Reader CSRF vulnerability
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: HTTP Worm Catcher
Attack Information:
Acrobat Reader denial of service
Acrobat Reader UXSS vulnerability
Acrobat Reader UXSS remote code execution
Acrobat Reader CSRF vulnerability
VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. Enable the following patterns:
Acrobat Reader denial of service
Acrobat Reader UXSS vulnerability
Acrobat Reader UXSS remote code execution
Acrobat Reader CSRF vulnerability
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: HTTP Worm Catcher
Attack Information:
Acrobat Reader denial of service
Acrobat Reader UXSS vulnerability
Acrobat Reader UXSS remote code execution
Acrobat Reader CSRF vulnerability
VPN-1 NG with Application Intelligence R55/R54
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
2. Enable the following patterns:
Acrobat Reader denial of service
Acrobat Reader UXSS vulnerability
Acrobat Reader UXSS remote code execution
Acrobat Reader CSRF vulnerability
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: HTTP Worm Catcher
Attack Information:
Acrobat Reader denial of service
Acrobat Reader UXSS vulnerability
Acrobat Reader UXSS remote code execution
Acrobat Reader CSRF vulnerability
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. Enable the following patterns:
Acrobat Reader denial of service
Acrobat Reader UXSS vulnerability
Acrobat Reader UXSS remote code execution
Acrobat Reader CSRF vulnerability
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: HTTP Worm Catcher
Attack Information:
Acrobat Reader denial of service
Acrobat Reader UXSS vulnerability
Acrobat Reader UXSS remote code execution
Acrobat Reader CSRF vulnerability
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following patterns:
Acrobat Reader denial of service
Acrobat Reader UXSS vulnerability
Acrobat Reader UXSS remote code execution
Acrobat Reader CSRF vulnerability
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: HTTP Worm Catcher
Attack Information:
Acrobat Reader denial of service
Acrobat Reader UXSS vulnerability
Acrobat Reader UXSS remote code execution
Acrobat Reader CSRF vulnerability
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > General HTTP Worm Defender.
2. Enable the following patterns:
Acrobat Reader denial of service
Acrobat Reader UXSS vulnerability
Acrobat Reader UXSS remote code execution
Acrobat Reader CSRF vulnerability
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: HTTP Worm Catcher
Attack Information:
Acrobat Reader denial of service
Acrobat Reader UXSS vulnerability
Acrobat Reader UXSS remote code execution
Acrobat Reader CSRF vulnerability
Connectra NGX R62/R61
How Can I Protect My Network?
1. In the navigation tree, click security > Web Intelligence. In the Malicious Code Protection pane click General HTTP Worm Catcher.
2. Enable the following patterns:
Acrobat Reader denial of service
Acrobat Reader UXSS vulnerability
Acrobat Reader UXSS remote code execution
Acrobat Reader CSRF vulnerability
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:
Attack Name: HTTP Worm Catcher
Attack Information:
Acrobat Reader denial of service
Acrobat Reader UXSS vulnerability
Acrobat Reader UXSS remote code execution
Acrobat Reader CSRF vulnerability