CVE-2013-0640

What is Adobe Reader and Acrobat?

Adobe Reader and Acrobat are the dominant PDF applications, installed on virtually every enterprise workstation. Reader XI introduced an enhanced Protected Mode sandbox — a security boundary designed to contain the impact of Reader vulnerabilities. A vulnerability that achieves code execution inside Reader is dangerous; a vulnerability that also escapes the sandbox is catastrophic, as it enables persistent malware installation outside Reader's containment zone.

Overview

CVE-2013-0640 is a memory corruption vulnerability (CWE-787: out-of-bounds write) in the AcroForm handling component (acroform.dll) of Adobe Reader and Acrobat. This vulnerability was exploited as a zero-day in February 2013, chained together with CVE-2013-0641 (a buffer overflow), to achieve code execution followed by sandbox escape. The combination allowed attackers to fully compromise the target system — bypassing both Reader's memory corruption mitigations and its Protected Mode sandbox.

Adobe released emergency out-of-band patch APSB13-07 on February 13, 2013.

Affected Versions

Technical Details

The vulnerability is in acroform.dll, the component responsible for PDF AcroForm (interactive form) processing including form JavaScript. An out-of-bounds write (CWE-787) occurs when processing a malformed AcroForm element — the parser writes beyond the allocated buffer, corrupting heap memory in a way that can be leveraged for code execution.

The CVE-2013-0640 + CVE-2013-0641 chain:

• CVE-2013-0640 (this vulnerability) provides the initial code execution inside the Reader process
• CVE-2013-0641 (buffer overflow) is then used as a second stage to escape the Protected Mode sandbox

This two-stage exploit chain was specifically designed to defeat Reader's sandbox architecture. The fact that attackers possessed both a Reader exploit and a Reader sandbox escape simultaneously suggests a well-resourced, sophisticated threat actor.

Discovery

The zero-day chain was discovered through analysis of malicious PDF files circulating in targeted attack campaigns in February 2013. Researchers at FireEye and other firms identified the novel exploit chain and reported to Adobe, prompting the emergency APSB13-07 response.

Exploitation Context

This zero-day chain was used in targeted spear-phishing attacks against specific organizations — recipients received PDF documents containing the exploit, and successful exploitation resulted in a full system compromise bypassing Reader's sandbox. The sophistication of the two-CVE chained exploit indicates nation-state or highly capable criminal actors. This attack demonstrated that even Reader's Protected Mode sandbox — widely regarded as a significant security advancement — was not bulletproof when attackers possessed a dedicated sandbox escape.

Remediation

1. Apply APSB13-07 immediately — Reader XI 11.0.02, Reader X 10.1.6
2. Keep Adobe Reader and Acrobat on the latest version through automatic updates
3. Enable Enhanced Security and Protected Mode in Reader settings — while this sandbox was escapable via CVE-2013-0641, it still raises the attack bar and limits impact of most other Reader exploits
4. Configure email security gateways to sandbox-execute PDF attachments before delivery
5. Consider alternative PDF viewers (Microsoft Edge's built-in PDF viewer, or Foxit Reader) in high-risk environments to reduce the impact of Adobe Reader-specific exploits