CVE-2010-1240
published 2010-04-05CVE-2010-1240: Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File…
PriorityP275critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.44%
99.4th percentile
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat_reader | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →PDF files using a /Launch /Action to execute an embedded or external executable without exploiting a memory corruption vulnerability — detection should focus on the presence of /Launch actions in PDF structure. ↗
- →Foxit Reader executes the launch action with no warning dialog at all — PDF scanners should flag /Launch actions regardless of the target reader application. ↗
- →Blocking Adobe Reader (AcroRd32.exe) from spawning new child processes is an effective host-based mitigation and detection pivot point for this attack. ↗
- ·The Metasploit module targets Adobe Reader v8.x and v9.x on Windows XP SP3 English specifically; the attack surface and payload delivery may differ on other OS versions or Reader builds. ↗
- ·The LAUNCH_MESSAGE option allows the attacker to fully customize the social-engineering text shown in the warning dialog, meaning the specific lure string is attacker-controlled and variable. ↗
- ·The vulnerability was confirmed tested on Adobe Reader 9.3.1 on Windows XP SP3 and Windows 7; versions 9.3.3+ and 8.2.3+ are patched. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Adobe Acrobat Reader up to 9.3.0 access control (Nessus ID 51701 / ID 165604)
vuldb·2026-05-05·CVSS 9.3
CVE-2010-1240 [CRITICAL] Adobe Acrobat Reader up to 9.3.0 access control (Nessus ID 51701 / ID 165604)
A vulnerability categorized as critical has been discovered in Adobe Acrobat Reader up to 9.3.0. This impacts an unknown function. The manipulation results in improper access controls.
This vulnerability was named CVE-2010-1240. The attack may be performed from remote. There is no available exploit.
It is advisable to upgrade the affected component.
GHSA
GHSA-r9c9-qvgh-48mx: Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-02
CVE-2010-1240 [HIGH] GHSA-r9c9-qvgh-48mx: Adobe Reader and Acrobat 9
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message.
VulnCheck
Adobe Reader and Acrobat Launch File Warning Vulnerability
vulncheck·2010·CVSS 9.3
CVE-2010-1240 [CRITICAL] Adobe Reader and Acrobat Launch File Warning Vulnerability
Adobe Reader and Acrobat Launch File Warning Vulnerability
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message.
Affected: Adobe Acrobat and Reader
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/earlier-flaws-revisited-ms-offic
Red Hat
acroread: multiple code execution flaws (APSB10-15)
vendor_redhat·2010-06-29·CVSS 9.3
CVE-2010-1240 [CRITICAL] acroread: multiple code execution flaws (APSB10-15)
acroread: multiple code execution flaws (APSB10-15)
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message.
No detection rules found.
Exploit-DB
Adobe PDF - Embedded EXE Social Engineering (Metasploit)
exploitdb·2010-12-16
CVE-2010-1240 Adobe PDF - Embedded EXE Social Engineering (Metasploit)
Adobe PDF - Embedded EXE Social Engineering (Metasploit)
---
##
# $Id: adobe_pdf_embedded_exe.rb 11353 2010-12-16 20:11:01Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Adobe PDF Embedded EXE Social Engineering',
'Description' => %q{
This module embeds a Metasploit payload into an existing PDF file. The
resulting PDF can be sent to a target as part of a social engineering attack.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Colin Ames ', # initial module
'jduck' # add Documents for vista/win7
],
'Version' => '$Revision: 11353 $',
Exploit-DB
Adobe PDF - Escape EXE Social Engineering (No JavaScript) (Metasploit)
exploitdb·2010-12-16
CVE-2010-1240 Adobe PDF - Escape EXE Social Engineering (No JavaScript) (Metasploit)
Adobe PDF - Escape EXE Social Engineering (No JavaScript) (Metasploit)
---
##
# $Id: adobe_pdf_embedded_exe_nojs.rb 11353 2010-12-16 20:11:01Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
#
# Modified version of the Adobe PDF Embedded EXE Social Engineering "adobe_pdf_embedded_exe.rb".
# This version does not require JavaScript to be enabled and does not required the EXE to be
# attached to the PDF. The EXE is embedded in the PDF in a non-standard method using HEX
# encoding.
#
# Lots of reused code from adobe_pdf_embedded_exe.rb and the other PDF modules to make the
Exploit-DB
Adobe Reader - Escape From '.PDF' Execute Embedded Executable
exploitdb·2010-03-31
CVE-2010-1240 Adobe Reader - Escape From '.PDF' Execute Embedded Executable
Adobe Reader - Escape From '.PDF' Execute Embedded Executable
---
Title : Escape From PDF
Author : Didier Stevens
Date : 03/29/2010
Source : http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
This is a special PDF hack: I managed to make a PoC PDF to execute an embedded executable without exploiting any vulnerability!
I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.
PDF viewers like Adobe Reader and Foxit Reader don’t allow embedded executables (like binaries and scripts) to be extracted and executed, but I found another way
Metasploit
Adobe PDF Embedded EXE Social Engineering
metasploit
Adobe PDF Embedded EXE Social Engineering
Adobe PDF Embedded EXE Social Engineering
This module embeds a Metasploit payload into an existing PDF file. The resulting PDF can be sent to a target as part of a social engineering attack.
Metasploit
Adobe PDF Escape EXE Social Engineering (No JavaScript)
metasploit
Adobe PDF Escape EXE Social Engineering (No JavaScript)
Adobe PDF Escape EXE Social Engineering (No JavaScript)
This module embeds a Metasploit payload into an existing PDF file in a non-standard method. The resulting PDF can be sent to a target as part of a social engineering attack.
arXiv
Towards Adversarial Malware Detection: Lessons Learned from PDF-based Attacks
arxiv_fulltext·2020-04-14
Towards Adversarial Malware Detection: Lessons Learned from PDF-based Attacks
Towards Adversarial Malware Detection: Lessons Learned from PDF-based Attacks
Davide Maiorca
University of Cagliari
Piazza d'Armi
Cagliari
09123
Italy
[email protected]
Battista Biggio
University of Cagliari
Piazza d'Armi
Cagliari
09123
Italy
Pluribus One
Italy
[email protected]
Giorgio Giacinto
University of Cagliari
Piazza d'Armi
Cagliari
09123
Italy
Pluribus One
Italy
[email protected]
## Abstract
Malware still constitutes a major threat in the cybersecurity landscape, also due to the widespread use of infection vectors such as documents. These infection vectors hide embedded malicious code to the victim users, facilitating the use of social engineering techniques to infect their machines.
Research showed that machine-learning algorithms provide effective
arXiv
Digital Investigation of PDF Files: Unveiling Traces of Embedded Malware
arxiv_fulltext·2017-07-17
Digital Investigation of PDF Files: Unveiling Traces of Embedded Malware
Digital Investigation of PDF Files:\ Traces of Embedded Malware
Davide Maiorca, Member, IEEE,
Battista Biggio, Senior Member, IEEE,
Preprint of the work accepted for publication in the IEEE Security & Privacy magazine, Special Issue on Digital Forensics, Nov. - Dec. 2017, http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7854112
The authors are with the Department of Electrical and Electronic Engineering, University of Cagliari, Piazza d'Armi, 09123 Cagliari, Italy.
Davide Maiorca: e-mail [email protected]
Battista Biggio: e-mail [email protected]
## Abstract
Over the last decade, malicious software (or malware, for short) has shown an increasing sophistication and proliferation, fueled by a flourishing underground economy, in response to the increasing complex
Bugzilla
acroread: multiple critical security flaws (APSB10-17)
bugzilla·2010-08-17·CVSS 9.3
CVE-2010-2862 [CRITICAL] acroread: multiple critical security flaws (APSB10-17)
acroread: multiple critical security flaws (APSB10-17)
Adobe has announced a forthcoming update to Adobe Acrobat Reader that will address critical security issues:
http://www.adobe.com/support/security/bulletins/apsb10-17.html
Discussion:
The bulletin addresses:
* These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2010-2862).
* These updates further mitigate a social engineering attack that could lead to code execution (CVE-2010-1240).
* These updates incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-16.
The first issue is tracked via bug #621687 and the Flash Player-related issues are tracked via bug #622947.
CVE-2010-1240 was previously noted to have been corrected in APSB10-15 (see bug #609203), so Adobe s
Bugzilla
acroread: multiple code execution flaws (APSB10-15)
bugzilla·2010-06-29·CVSS 9.3
[CRITICAL] acroread: multiple code execution flaws (APSB10-15)
acroread: multiple code execution flaws (APSB10-15)
Today, 2010-06-29, Adobe is planning to release an update
for Adobe Reader of version v9.3.2 and Adobe Acrobat of
version 9.3.2 (new version for both products is v9.3.3),
to address multiple security issues allowing code execution,
whose description is detailed in the Adobe Security Bulletin
APSB10-15:
[1] http://www.adobe.com/support/security/bulletins/apsb10-15.html
* This update resolves a memory corruption vulnerability that could
lead to code execution (CVE-2010-1297). Note: There are reports that
this issue is being actively exploited in the wild.
Red Hat is tracking this memory corruption vulnerability via a
dedicated Red Hat Bugzilla entry, which is reachable at:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-1297
http://blog.didierstevens.com/2010/03/29/escape-from-pdf/http://blog.didierstevens.com/2010/06/29/quickpost-no-escape-from-pdf/http://lists.immunitysec.com/pipermail/dailydave/2010-April/006075.htmlhttp://www.adobe.com/support/security/bulletins/apsb10-15.htmlhttp://www.securitytracker.com/id?1024159http://www.us-cert.gov/cas/techalerts/TA10-231A.htmlhttp://www.vupen.com/english/advisories/2010/1636https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7466http://blog.didierstevens.com/2010/03/29/escape-from-pdf/http://blog.didierstevens.com/2010/06/29/quickpost-no-escape-from-pdf/http://lists.immunitysec.com/pipermail/dailydave/2010-April/006075.htmlhttp://www.adobe.com/support/security/bulletins/apsb10-15.htmlhttp://www.securitytracker.com/id?1024159http://www.us-cert.gov/cas/techalerts/TA10-231A.htmlhttp://www.vupen.com/english/advisories/2010/1636https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7466
2010-04-05
Published
Exploited in the wild