CVE-2008-0655

What is Adobe Acrobat and Reader?

Adobe Acrobat and Adobe Reader are the dominant applications for creating, editing, and viewing PDF files. The PDF format is ubiquitous in business, government, and consumer environments — used for contracts, invoices, forms, and official documents of all kinds. Adobe Reader was the most widely installed free PDF viewer through the 2000s, making Acrobat and Reader vulnerabilities high-value targets for attackers seeking broad reach. The February 2008 Adobe Security Bulletin APSB08-07 addressed multiple security issues in Acrobat and Reader versions 7.x and 8.x.

Overview

CVE-2008-0655 is a critical vulnerability (CVSS 9.8) in Adobe Acrobat and Reader, addressed in Adobe Security Bulletin APSB08-07 (February 2008). The NVD description characterizes it as an "unspecified vulnerability described as a design flaw" that allows a specially crafted PDF to be "printed silently an arbitrary number of times." The CVSS 9.8 critical score with no authentication and no user interaction required is unusually high given the described behavior, and reflects that APSB08-07 addressed the vulnerability as part of a broader set of security fixes in that release — the full severity of the underlying issue may not have been completely disclosed. CISA added to KEV in June 2022.

Affected Versions

Note: Adobe Acrobat and Reader versions prior to version 11 (Acrobat XI / Reader XI) are end-of-life and no longer receive security updates.

Technical Details

The NVD description of CVE-2008-0655 is notably vague: "an unspecified vulnerability, related to a design flaw, allows a specially crafted file to be printed silently an arbitrary number of times." This type of description — "unspecified" and "design flaw" — was used in this era when the full details of a vulnerability were not publicly disclosed by the vendor.

The described behavior — silent printing of a PDF an arbitrary number of times without user interaction — represents a design flaw in the PDF specification's print-related JavaScript APIs. The PDF format supports JavaScript methods that can trigger print operations. In the vulnerable versions, crafted PDF JavaScript could invoke print operations without the normal user confirmation dialogs, enabling:

• Resource exhaustion: Causing printers to be flooded with print jobs (availability impact)
• Information disclosure: Silently printing sensitive document content to network printers accessible to the attacker
• Security bypass: Bypassing expected user-interaction gates for sensitive actions

The CRITICAL CVSS score of 9.8 with no user interaction likely reflects that the vulnerability could be triggered by a PDF opened in a browser context (via the Reader browser plugin) where the mere act of visiting a page loading a PDF could trigger exploitation without any additional user gesture — fitting the AV:N/UI:N scoring criteria.

Discovery

Reported to Adobe and addressed in the February 2008 APSB08-07 security bulletin, which was released simultaneously with APSB08-13 (which addressed the separate util.printf() buffer overflow CVE-2007-5659). The confluence of multiple Adobe Reader security issues in February 2008 reflected the intense scrutiny the product was receiving from the security research community during this period.

Exploitation Context

The context for this vulnerability sits within the broader pattern of Adobe Reader exploitation in the 2007–2012 period:

• Silent print as attack primitive: A PDF that could silently print to any accessible network printer could be used to exfiltrate sensitive document content by printing to a printer under attacker control, or to cause denial-of-service against printing infrastructure
• Drive-by delivery: The no-user-interaction CVSS metrics indicate the vulnerability could be triggered via browser-embedded PDF rendering, making it usable in drive-by campaigns against websites with embedded PDFs
• Reader plugin attack surface: Adobe Reader's browser plugin (NPAPI/ActiveX) was a common attack vector in this era — visiting a website with an embedded PDF triggered Reader code execution automatically, without the user explicitly opening a file
• Combined with other Reader exploits: Attackers in this period frequently chained multiple PDF vulnerabilities, using Reader exploits in combination to achieve reliable code execution

Remediation

1. Apply APSB08-07: Upgrade Adobe Reader and Acrobat to version 8.1.2 (for 8.x) or 7.1.0 (for 7.x) as specified in the security bulletin.
2. Upgrade to a current, supported version: Adobe Reader and Acrobat 7.x and 8.x are long past end-of-life. Upgrade to Adobe Acrobat Reader DC (current version) which receives ongoing security patches.
3. Disable the Reader browser plugin: Remove or disable the Acrobat/Reader browser plugin (NPAPI or ActiveX) to prevent drive-by exploitation via browser-embedded PDFs. Use the browser's native PDF renderer instead.
4. Disable JavaScript in Adobe Reader: Go to Edit > Preferences > JavaScript and uncheck "Enable Acrobat JavaScript" to prevent JavaScript-based PDF exploits including print-based attacks.
5. Replace Adobe Reader: For environments that do not need Adobe-specific PDF features, replace Reader with a lightweight PDF viewer that does not support JavaScript execution.