Windows 98 / Acrobat 6 is not vulnerable to Adobe Acrobat and Reader Vulnerability

Windows 98 / Acrobat 6 is not vulnerable to Adobe Acrobat and Reader Vulnerability

Post by 98 Gu » Fri, 27 Feb 2009 14:02:26



To re-cap, java is NOT instrumental in this vulnerability.

The use of java script is NOT necessary for the exploit (JBIG2Decode) to
execute.

However, it seems that all known examples of this exploit currently in
circulation DO use Javascript and one method of protecting vulnerable
systems is to disable javascript handling within Acrobat.

Example code is now available on Milw0rm:

http://www.yqcomputer.com/

That is a perl script, which when executed by a perl interpreter will
produce a PDF file which contains the exploit code. I downloaded and
installed a 17 mb perl compiler package just to produce the desired PDF
file.

Virus Total confirms that the file is identified as a threat - if only
by 2 out of 39 AV programs:

http://www.yqcomputer.com/

-----------------------
CAT-QuickHeal 2009.02.26 Expoit.PDF.JBIG2Decode
ClamAV 2009.02.25 Exploit.PDF-29
-----------------------

I'm not sure what the example file is supposed to do when executed, but
I can confirm that when Acrobat Reader 6.0.2 (5/18/04) on windows 98 is
directed to open the file, it immediately displays this message:

------------------
There was an error opening this document. The file is damaged and could
not be repaired.
------------------

The message can be dismissed, and Adobe does not crash and can open
other real PDF's just fine.

I haven't tried this .PDF on XP running Acrobat 7, 8 or 9, but I might
do that tommorrow.

Because of the positive AV test, I believe this is a working example of
this vulnerability, and my test has shown that because Acrobat 6 did not
crash, that the combination of Win-98 and Adobe Acrobat 6 is not
vulnerable to this exploit.