Vulnerability Description
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Adobe | Acrobat Reader | 9.3.1 |
| Microsoft | Windows | All versions |
Related Weaknesses (CWE)
References
- http://blog.didierstevens.com/2010/03/29/escape-from-pdf/Exploit
- http://blog.didierstevens.com/2010/06/29/quickpost-no-escape-from-pdf/
- http://lists.immunitysec.com/pipermail/dailydave/2010-April/006075.html
- http://www.adobe.com/support/security/bulletins/apsb10-15.html
- http://www.securitytracker.com/id?1024159
- http://www.us-cert.gov/cas/techalerts/TA10-231A.htmlUS Government Resource
- http://www.vupen.com/english/advisories/2010/1636
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3
- http://blog.didierstevens.com/2010/03/29/escape-from-pdf/Exploit
- http://blog.didierstevens.com/2010/06/29/quickpost-no-escape-from-pdf/
- http://lists.immunitysec.com/pipermail/dailydave/2010-April/006075.html
- http://www.adobe.com/support/security/bulletins/apsb10-15.html
- http://www.securitytracker.com/id?1024159
- http://www.us-cert.gov/cas/techalerts/TA10-231A.htmlUS Government Resource
- http://www.vupen.com/english/advisories/2010/1636
FAQ
What is CVE-2010-1240?
CVE-2010-1240 is a vulnerability with a CVSS score of 9.3 (HIGH). Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for rem...
How severe is CVE-2010-1240?
CVE-2010-1240 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2010-1240?
Check the references section above for vendor advisories and patch information. Affected products include: Adobe Acrobat Reader, Microsoft Windows.