Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Adobe Acrobat Font Parsing Integer Overflow Vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Adobe Acrobat Font Parsing Integer Overflow Vulnerability

Charlie Miller discovered a integer overflow error in CoolType.dll when parsing the maxCompositePoints field value in the Maximum Profile table of a TrueType font. PDFs containing specially crafted TrueType fonts can trigger this vulnerability.

Want more information? Check the following document from pages 51 to 58: http://securityevaluators.com/files/papers/CrashAnalysis.pdf

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

185 Posts
ISC Handler
Wait, hold on, we're supposed to go read a PDF about how reading PDFs is a security risk? ;-)
Anonymous
I happened to stumble upon an old article on Linux-Watch while researching a Linux Firefox issue I’m currently working…

http://www.linux-watch.com/news/NS7542722606.html
PDF to become an open, ISO standard - Jan 29, 2007

What I found rather amusing was this quote…
“In the 14 years since Adobe published the complete PDF specification in 1993, PDF has become a de facto global standard for secure and dependable information exchange and archival storage.”

Isn’t it ironic, that what was once considered “secure and dependable” is now the cause of so much grief in the Information Assurance world.
Ken B

4 Posts
Looks like the fix is due out the week of August 16th. http://blogs.adobe.com/psirt/2010/08/pre-notification-out-of-band-security-updates-for-adobe-reader-and-acrobat.html
Anonymous
Adobe and Microsoft really should step together (even closer then recently) and make Adobe updates available in WSUS.

Updating all Readers, Acrobats is (becoming) a nightmare.
Anonymous
Adobe and Microsoft really should step together (even closer then recently) and make Adobe updates available in WSUS.

Updating all Readers, Acrobats is (becoming) a nightmare.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!