JavaScript Privilege Escalation in Adobe Reader

Product Adobe Reader
Severity Medium
CVE Reference CVE-2015-4451
Type JavaScript Privilege Escalation in Adobe Reader

A vulnerability was discovered in Adobe Reader which allows the bypass of restrictions in the JavaScript API to allow the execution of privileged JavaScript commands from an unprivileged context.

The advisory can be downloaded here.

Description

Adobe Acrobat Reader is the most commonly used PDF viewer available for Windows and Mac.

The Adobe Reader JavaScript API has a privilege system in which a user must give permission before execution of privileged functions can occur.

It was found that it is possible to bypass the restrictions on the JavaScript API which allows execution of privileged JavaScript functions.

Impact

A user who opened a PDF in which this vulnerability was used could be forced to automatically perform an undesired action, such as forcing the user to connect to a web site without notifying the user of this action.

Cause

It was possible to change the context of the doc.requestPermssion within the trusted ANSendApprovalToAuthorEnabled function to perform privileged JavaScript functions.

Interim Workaround

If it is not possible to update to the latest version of Adobe Reader, it is recommended that users disable the use of JavaScript in Adobe Reader. Further details can be found from the Adobe website: JavaScript Controls

Solution

It is recommended that users of Adobe Reader update to version 11.0.12

Detailed Timeline

Date Summary
15/05/2015 Reported to Adobe
03/07/2015 Adobe confirms issue has been fixed
14/07/2015 Patch released by Adobe
17/07/2015 Advisory released