Adobe Remediates Acrobat and Reader Vulnerabilities
News, overnight, of the large number of vulnerabilities now remediated in Adobe Systems, Inc.’s (NasdaqGS: ADBE) Acrobat and Reader PDF authoring, workflow and reading applications. With twenty-nine discreet patches, the company seems to have lifted itself from the dubious honor of tardy security patch releases. The MITRE CVEs related to these patches are CVE-2007-0048, CVE-2007-0045, CVE-2009-2564, CVE-2009-2979, CVE-2009-2980, CVE-2009-2981, CVE-2009-2982, CVE-2009-2983, CVE-2009-2984, CVE-2009-2985, CVE-2009-2986, CVE-2009-2987, CVE-2009-2988, CVE-2009-2989, CVE-2009-2990, CVE-2009-2991, CVE-2009-2992, CVE-2009-2993, CVE-2009-2994, CVE-2009-2995, CVE-2009-2996, CVE-2009-2997, CVE-2009-2998, CVE-2009-3431, CVE-2009-3458, CVE-2009-3459, CVE-2009-3460, CVE-2009-3461, CVE-2009-3462. More information, including linkage, and a short snippet from the original post at HeiseSecurity appears after the jump.
From HeieseSecurity: “Adobe closes 29 vulnerabilities in Acrobat and Reader“
“Adobe has released updates for its Acrobat and Reader products, closing 29 security vulnerabilities. The updates include a previously reported critical hole that is already being exploited by attackers. According to Adobe, version 9.1.3 and 8.1.6 of Acrobat and Reader for Windows, Macintosh and UNIX and version 7.1.3 of Acrobat and Reader for Windows and Macintosh are affected. Adobe Reader and Acrobat 9.2, 8.17 and 7.14 address the vulnerabilities and are available now…”
Security Updates Available for Adobe Reader and Acrobat
Release date: October 13, 2009
Vulnerability identifier: APSB09-15
CVE number: CVE-2007-0048, CVE-2007-0045, CVE-2009-2564, CVE-2009-2979, CVE-2009-2980, CVE-2009-2981, CVE-2009-2982, CVE-2009-2983, CVE-2009-2984, CVE-2009-2985, CVE-2009-2986, CVE-2009-2987, CVE-2009-2988, CVE-2009-2989, CVE-2009-2990, CVE-2009-2991, CVE-2009-2992, CVE-2009-2993, CVE-2009-2994, CVE-2009-2995, CVE-2009-2996, CVE-2009-2997, CVE-2009-2998, CVE-2009-3431, CVE-2009-3458, CVE-2009-3459, CVE-2009-3460, CVE-2009-3461, CVE-2009-3462
Platform: All
Summary
Critical vulnerabilities have been identified in Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. This update represents the second quarterly security update for Adobe Reader and Acrobat.
Adobe recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier versions update to Adobe Reader 9.2 and Acrobat 9.2. Adobe recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe Reader 8.1.7 and Adobe Reader 7.1.4 updates. Updates apply to all platforms: Windows, Macintosh and UNIX.
Affected software versions
Adobe Reader 9.1.3 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.1.3 and earlier versions for Windows and Macintosh
Solution
Adobe Reader
Adobe Reader users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.
Adobe Reader users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.
Adobe Reader users on UNIX can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix.
Acrobat
Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.
Acrobat Pro Extended users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows
Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.
Severity rating
Adobe categorizes this as a critical update.
Details
Critical vulnerabilities have been identified in Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. This update represents the second quarterly security update for Adobe Reader and Acrobat.
Adobe recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier versions update to Adobe Reader 9.2 and Acrobat 9.2. Adobe recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe Reader 8.1.7 and Adobe Reader 7.1.4 updates. Updates apply to all platforms: Windows, Macintosh and UNIX.
This update resolves a heap overflow vulnerability that could lead to code execution (CVE-2009-3459).
NOTE: There are reports that this issue is being exploited in the wild, via limited, targeted attacks.
This update resolves a memory corruption issue that could potentially lead to code execution (CVE-2009-2985).
This update resolves multiple heap overflow vulnerabilities that could potentially lead to code execution (CVE-2009-2986).
This update resolves an invalid array index issue that could potentially lead to code execution (CVE-2009-2990).
NOTE: this issue is resolved in the Adobe Reader and Acrobat 9.2 and 8.1.7 updates.
This update resolves a remote exploitation issue specific to the Mozilla plug-in that could potentially allow an attacker to execute arbitrary code with the privileges of the current user (CVE-2009-2991). NOTE: this issue is resolved in the Adobe Reader and Acrobat 8.1.7 updates.
This update resolves multiple input validation vulnerabilities that could potentially lead to code execution (CVE-2009-2993).
This update resolves a buffer overflow issue that could potentially lead to code execution (CVE-2009-2994).
This update resolves a heap overflow vulnerability that could potentially lead to code execution (CVE-2009-2997).
This update resolves an input validation issue that could potentially lead to code execution (CVE-2009-2998).
This update resolves an input validation issue that could potentially lead to code execution (CVE-2009-3458).
This update resolves a memory corruption issue that could potentially lead to code execution. This issue is specific to Acrobat and does not affect Adobe Reader. (CVE-2009-3460).NOTE: this issue is resolved in the Acrobat 9.2 and 8.1.7 updates.
This update resolves an integer overflow that could potentially lead to code execution. This issue is specific to Acrobat and does not affect Adobe Reader. (CVE-2009-2989).NOTE: this issue is resolved in the Acrobat 9.2 and 8.1.7 updates.
This update resolves a memory corruption issue that leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible (CVE-2009-2983).NOTE: this issue is resolved in the Adobe Reader and Acrobat 9.2 and 8.1.7 updates.
This update resolves an integer overflow that leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible (CVE-2009-2980).
This update resolves a memory corruption issue that leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible (CVE-2009-2996).
This update resolves a Unix-only format bug when running in Debug mode that could lead to arbitrary code execution (CVE-2009-3462).
This update resolves an image decoder issue that leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible. This issue is specific to Acrobat and does not affect Adobe Reader. (CVE-2009-2984).
NOTE: this issue is resolved in the Acrobat 9.2 update.
This update resolves an input validation issue that could potentially lead to a bypass of Trust Manager restrictions (CVE-2009-2981). This update resolves an issue that could allow a malicious user to bypass file extension security controls. This issue is specific to Acrobat 9.X. (CVE-2009-3461).
This update modifies a certificate that if compromised could potentially be used in a social engineering attack (CVE-2009-2982).NOTE: this issue is resolved in the Adobe Reader and Acrobat 9.2 and 8.1.7 updates.
This update resolves a stack overflow issue that could potentially lead to a Denial of Service (DoS) attack (CVE-2009-3431).NOTE: this issue is resolved in the Adobe Reader and Acrobat 9.2 and 8.1.7 updates.
This update resolves a XMP-XML entity expansion issue that could lead to a Denial of Service (DoS) attack (CVE-2009-2979).NOTE: this issue is resolved in the Adobe Reader and Acrobat 9.2 and 8.1.7 updates.
This update resolves a remote denial of service issue in the ActiveX control specific to the Windows OS (CVE-2009-2987).
This update resolves an input validation issue that could lead to a Denial of Service (DoS) issue (CVE-2009-2988).
This update resolves an input validation issue specific to the ActiveX control that could lead to a Denial of Service (DoS) attack (CVE-2009-2992).NOTE: this issue is resolved in the Adobe Reader and Acrobat 9.2 and 8.1.7 updates.
This update resolves an integer overflow in that leads to a Denial of Service (DoS). This issue is specific to Acrobat and does not affect Adobe Reader. (CVE-2009-2995).
(CVE-2009-2564).
This update resolves a cross-site scripting issue when the browser plugin is used with Google Chrome and Opera browsers (CVE-2007-0048, CVE-2007-0045)
Acknowledgments
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers’ security:
- Michael Schmidt of Compass Security (http://www.csnc.ch) (CVE-2007-0048, CVE-2007-0045)
- Didier Stevens (CVE-2009-2979)
- Drew Yao of Apple Product Security (http://www.apple.com/support/security/) (CVE-2009-2980)
- Stefano Di Paola of Minded Security (http://www.mindedsecurity.com/) (CVE-2009-2981)
- Guillaume Delugré and Frédéric Raynal of SOGETI ESEC (http://esec.fr.sogeti.com/) (CVE-2009-2982, CVE-2009-3461, CVE-2009-3462)
- SkyLined of Google Inc. (http://skypher.com/SkyLined) (CVE-2009-2983)
- Tavis Ormandy, Google Security Team (http://www.google.com/corporate/security.html) (CVE-2009-2984)
- An anonymous researcher reported through TippingPoint’s Zero Day Initiative (http://www.zerodayinitiative.com/) (CVE-2009-2985)
- Will Dormann, CERT (http://www.cert.org/) (CVE-2009-2986)
- Zhenhua Liu and Xiaopeng Zhang of Fortinet’s FortiGuard Global Security Research Team (http://www.fortiguardcenter.com) (CVE-2009-2987, CVE-2009-2988, CVE-2009-2996)
- Tielei Wang from ICST-ERCIS (Engineering Research Center of Info Security, Institute of Computer Science & Technology, Peking University / China) (CVE-2009-2989, CVE-2009-2995)
- Dionysus Blazakis through iDefense’s Vulnerability Contributor Program (http://www.idefense.com/vcp/) (CVE-2009-2990)
- Elazar Broad through iDefense’s Vulnerability Contributor Program (http://www.idefense.com/vcp/) (CVE-2009-2991)
- David Soldera of Next Generation Security Software (http://www.ngssoftware.com/) (CVE-2009-2992)
- IOActive (http://www.ioactive.com/) (CVE-2009-2993)
- Felipe Andres Manzano through the iSIGHT Partners GVP (https://gvp.isightpartners.com) (CVE-2009-2994)
- Nicolas Joly of VUPEN Security (http://www.vupen.com ) (CVE-2009-2997, CVE-2009-2998, CVE-2009-3458)
- Chia-Ching Fang of the Information and Communication Security Technology Center (http://www.icst.org.tw) (CVE-2009-3459)
- Haifei Li of Fortinet’s FortiGuard Global Security Research Team (http://www.fortiguardcenter.com/) (CVE-2009-3460)
