Security Updates available for Adobe Reader and Acrobat
Release date: May 12, 2015
Vulnerability identifier: APSB15-10
Priority: See table below
CVE Numbers: CVE-2014-8452, CVE-2014-9160, CVE-2014-9161, CVE-2015-3046, CVE-2015-3047, CVE-2015-3048, CVE-2015-3049, CVE-2015-3050, CVE-2015-3051, CVE-2015-3052, CVE-2015-3053, CVE-2015-3054, CVE-2015-3055, CVE-2015-3056, CVE-2015-3057, CVE-2015-3058, CVE-2015-3059, CVE-2015-3060, CVE-2015-3061, CVE-2015-3062, CVE-2015-3063, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3070, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, CVE-2015-3074, CVE-2015-3075, CVE-2015-3076
Platform: Windows and Macintosh
Summary
Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address vulnerabilities that could potentially allow an attacker to take over the affected system. Adobe recommends users update their product installations to the latest versions:
Users of Adobe Reader XI (11.0.10) and earlier versions should update to version 11.0.11.
Users of Adobe Reader X (10.1.13) and earlier versions should update to version 10.1.14.
Users of Adobe Acrobat XI (11.0.10) and earlier versions should update to version 11.0.11.
Users of Adobe Acrobat X (10.1.13) and earlier versions should update to version 10.1.14.
Affected software versions
Adobe Reader XI (11.0.10) and earlier 11.x versions
Adobe Reader X (10.1.13) and earlier 10.x versions
Adobe Acrobat XI (11.0.10) and earlier 11.x versions
- Adobe Acrobat X (10.1.13) and earlier 10.x versions
Note: Adobe Acrobat Reader is not affected by the CVEs references in this bulletin.
Solution
Adobe recommends users update their software installations by following the instructions below:
Adobe Reader
The product's default update mechanism is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
Adobe Reader users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
Adobe Reader users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
Adobe Acrobat
The product's default update mechanism is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
Acrobat Standard and Pro users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Acrobat Pro users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh
Priority and severity ratings
Adobe categorizes these updates with the following priority ratings and recommends users update their installations to the newest versions:
Updated Version |
Platform |
Priority rating |
|
Adobe Reader |
11.0.11 |
Windows and Macintosh |
1 |
|
10.1.14 |
Windows and Macintosh |
1 |
|
|
|
|
Adobe Acrobat |
11.0.11 |
Windows and Macintosh |
1 |
|
10.1.14 |
Windows and Macintosh |
1 |
These updates address critical vulnerabilities in the software.
Details
Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address vulnerabilities that could potentially allow an attacker to take over the affected system. Adobe recommends users update their product installations to the latest versions:
Users of Adobe Reader XI (11.0.10) and earlier versions should update to version 11.0.11.
Users of Adobe Reader X (10.1.13) and earlier versions should update to version 10.1.14.
Users of Adobe Acrobat XI (11.0.10) and earlier versions should update to version 11.0.11.
Users of Adobe Acrobat X (10.1.13) and earlier versions should update to version 10.1.14.
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-3053, CVE-2015-3054, CVE-2015-3055, CVE-2015-3059, CVE-2015-3075).
These updates resolve heap-based buffer overflow vulnerabilities that could lead to code execution (CVE-2014-9160).
These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2015-3048).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-9161, CVE-2015-3046, CVE-2015-3049, CVE-2015-3050, CVE-2015-3051, CVE-2015-3052, CVE-2015-3056, CVE-2015-3057, CVE-2015-3070, CVE-2015-3076).
These updates resolve a memory leak (CVE-2015-3058).
These updates resolve various methods to bypass restrictions on Javascript API execution (CVE-2015-3060, CVE-2015-3061, CVE-2015-3062, CVE-2015-3063, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, CVE-2015-3074).
These updates resolves a null-pointer dereference issue that could lead to a denial-of-service condition (CVE-2015-3047).
These updates provide additional hardening to protect against CVE-2014-8452, a vulnerability in the handling of XML external entities that could lead to information disclosure.
Acknowledgements
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:
AbdulAziz Hariri of HP Zero Day Initiative (CVE-2015-3053, CVE-2015-3055, CVE-2015-3057, CVE-2015-3058, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073)
Alex Inführ of Cure53.de (CVE-2014-8452, CVE-2015-3076)
Anonymously reported through Beyond Security's SecuriTeam Secure Disclosure (CVE-2015-3075)
bilou, working with HP Zero Day Initiative (CVE-2015-3059)
Brian Gorenc of HP Zero Day Initiative (CVE-2015-3054, CVE-2015-3056, CVE-2015-3061, CVE-2015-3063, CVE-2015-3064)
Dave Weinstein of HP Zero Day Initiative (CVE-2015-3069)
instruder of Alibaba Security Research Team (CVE-2015-3070)
lokihardt@asrt working with HP's Zero Day Initiative (CVE-2015-3074)
Mateusz Jurczyk of Google Project Zero (CVE-2015-3049, CVE-2015-3050, CVE-2015-3051, CVE-2015-3052)
Mateusz Jurczyk of Google Project Zero and Gynvael Coldwind of Google Security Team (CVE-2014-9160, CVE-2014-9161)
Simon Zuckerbraun working with HP Zero Day Initiative (CVE-2015-3060, CVE-2015-3062)
Wei Lei, as well as Wu Hongjun and Wang Jing of Nanyang Technological University (CVE-2015-3047)
Wei Lei, as well as Wu Hongjun of Nanyang Technological University (CVE-2015-3046)
Xiaoning Li of Intel Labs and Haifei Li of McAfee Labs IPS Team (CVE-2015-3048)