CVE-2013-0641

What is Adobe Reader?

Adobe Reader is the world's most widely used PDF viewer. Reader XI introduced Protected Mode — a sandbox that runs the Reader rendering process in a highly restricted context, limiting what actions it can take even if exploited. Breaking out of this sandbox requires a second vulnerability specifically targeting the sandbox boundary, making two-stage exploit chains targeting both Reader itself and its sandbox the most dangerous class of Reader attack.

Overview

CVE-2013-0641 is a buffer overflow vulnerability (CWE-120) in Adobe Reader that was exploited as the second stage of a two-vulnerability zero-day chain paired with CVE-2013-0640. While CVE-2013-0640 provides initial code execution inside the sandboxed Reader process, CVE-2013-0641 is the sandbox escape — the buffer overflow occurs in a Reader component involved in communication with the sandbox broker process, allowing escape from Reader's Protected Mode into the full user context.

Adobe released emergency patch APSB13-07 on February 13, 2013, fixing both zero-days simultaneously.

Affected Versions

Technical Details

Reader's Protected Mode sandbox works by running the Reader rendering process with highly restricted OS privileges and using an IPC (inter-process communication) channel to communicate with a broker process that has normal user privileges. The sandbox escape in CVE-2013-0641 exploits a buffer overflow (CWE-120) in how this IPC communication is handled — the code that processes certain IPC messages in the broker process does not properly validate message size, leading to a classic buffer overflow that redirects execution in the broker (unsandboxed) process.

Why this chain was historically significant:

• It was the first publicly known exploit to successfully chain a Reader vulnerability with a Protected Mode sandbox escape in the wild
• It demonstrated that Reader's sandbox, while raising the attack cost, was not an insurmountable barrier for sophisticated actors
• It prompted Adobe to accelerate sandbox hardening in subsequent Reader releases

Discovery

Discovered and reported as part of the same zero-day chain as CVE-2013-0640, through analysis of malicious PDFs found in active targeted attack campaigns.

Exploitation Context

CVE-2013-0641 was never exploited independently — it was always used as the second stage of the CVE-2013-0640 + CVE-2013-0641 chain to escape Reader's Protected Mode sandbox after initial code execution was achieved. The two-stage attack chain was used in precision spear-phishing campaigns against specific organizations, indicating sophisticated threat actors with the capability to develop and deploy two simultaneous zero-days against a hardened target.

Remediation

1. Apply APSB13-07 — Reader XI 11.0.02, Reader X 10.1.6
2. Keep Adobe Reader and Acrobat updated through automatic updates
3. Enable Protected Mode and Protected View in Reader settings — while these were bypassed by this specific chain, they remain effective against the vast majority of PDF exploits
4. Deploy email security that scans PDF attachments in a sandbox before delivery to end users
5. Apply OS-level mitigations (ASLR, DEP, Control Flow Guard on Windows 8.1+) — these raise the cost of IPC broker process exploitation