CVE-2013-2729

What is Adobe Reader?

Adobe Reader (and Acrobat) is the world's most widely used PDF viewer and editor. PDF documents support embedded raster images in multiple formats including BMP (Windows Bitmap). Reader parses these embedded images as part of rendering document content. BMP is a particularly complex format with multiple header versions and various color depth and compression options — and Adobe Reader's BMP parser has historically been a source of memory safety vulnerabilities.

Overview

CVE-2013-2729 is an integer overflow vulnerability (CWE-190) in Adobe Reader and Acrobat's BMP image parser. When Reader processes a PDF document containing a specially crafted embedded BMP image, an integer overflow in the size or dimension handling allows memory corruption, enabling arbitrary code execution. Adobe patched this vulnerability in APSB13-15 with Reader XI 11.0.3 and Reader X 10.1.7.

Affected Versions

Technical Details

BMP image parsing involves reading multiple header fields — image width, height, color depth, and optionally row/stride size — and using them to allocate and populate pixel data buffers. Integer overflow vulnerabilities in BMP parsers typically arise when:

1. Width × height × bytes-per-pixel is computed to determine buffer size
2. For large values, this multiplication overflows an integer, producing a small allocations size
3. The actual pixel data is larger than the allocated buffer, causing a heap overflow when written

In CVE-2013-2729, a malicious PDF embedding a specially crafted BMP with extreme dimension values triggers this overflow path in Adobe Reader's image processing code. The resulting heap corruption can be leveraged for arbitrary code execution using heap grooming and ROP chain techniques common in PDF exploit development.

Delivery mechanism: The attacker delivers a PDF containing the malicious BMP image. The victim opens the document in Reader; no further interaction is required once the document begins rendering. Delivery via email attachment, web download, or embedded in a web page is straightforward.

Discovery

Reported to Adobe and fixed as part of the May 2013 APSB13-15 security update, which addressed multiple vulnerabilities in Reader and Acrobat.

Exploitation Context

CISA confirmed exploitation in the wild. Adobe Reader vulnerabilities were a primary vector for targeted APT attacks and opportunistic malware delivery throughout 2012–2014. PDF documents are ubiquitous in enterprise environments and are generally trusted by recipients, making malicious PDFs an effective delivery vehicle. The high CVSS score reflects the full attack impact when combined with a sandbox escape.

Remediation

1. Apply APSB13-15 — update to Reader XI 11.0.3 or Reader X 10.1.7
2. Enable Adobe Reader's Protected Mode (sandbox) and Protected View for files from untrusted sources — these significantly raise the cost of exploit chains
3. Enable automatic updates in Adobe Reader via the Preferences → Updater menu
4. Deploy email security that scans PDF attachments in a sandbox before delivery
5. Use application allowlisting to restrict which processes can be spawned by Adobe Reader (limits post-exploitation lateral movement)