Security Updates available for Adobe Reader and Acrobat

Release date: May 12, 2015

Vulnerability identifier: APSB15-10

Priority: See table below

CVE Numbers: CVE-2014-8452, CVE-2014-9160, CVE-2014-9161, CVE-2015-3046, CVE-2015-3047, CVE-2015-3048, CVE-2015-3049, CVE-2015-3050, CVE-2015-3051, CVE-2015-3052, CVE-2015-3053, CVE-2015-3054, CVE-2015-3055, CVE-2015-3056, CVE-2015-3057, CVE-2015-3058, CVE-2015-3059, CVE-2015-3060, CVE-2015-3061, CVE-2015-3062, CVE-2015-3063, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3070, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, CVE-2015-3074, CVE-2015-3075, CVE-2015-3076

Platform: Windows and Macintosh

Summary

Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address vulnerabilities that could potentially allow an attacker to take over the affected system.  Adobe recommends users update their product installations to the latest versions: 

  • Users of Adobe Reader XI (11.0.10) and earlier versions should update to version 11.0.11. 

  • Users of Adobe Reader X (10.1.13) and earlier versions should update to version 10.1.14. 

  • Users of Adobe Acrobat XI (11.0.10) and earlier versions should update to version 11.0.11. 

  • Users of Adobe Acrobat X (10.1.13) and earlier versions should update to version 10.1.14.

Affected software versions

  • Adobe Reader XI (11.0.10) and earlier 11.x versions 

  • Adobe Reader X (10.1.13) and earlier 10.x versions  

  • Adobe Acrobat XI (11.0.10) and earlier 11.x versions  

  • Adobe Acrobat X (10.1.13) and earlier 10.x versions 

Note: Adobe Acrobat Reader DC is not affected by the CVEs references in this bulletin.

 

Solution

Adobe recommends users update their software installations by following the instructions below:

Adobe Reader

The product's default update mechanism is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.

Adobe Reader users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

Adobe Reader users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh

 

Adobe Acrobat

The product's default update mechanism is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.

Acrobat Standard and Pro users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Acrobat Pro users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

Priority and severity ratings

Adobe categorizes these updates with the following priority ratings and recommends users update their installations to the newest versions:

Product Updated Version Platform Priority rating
Adobe Reader 11.0.11
Windows and Macintosh
1
  10.1.14
Windows and Macintosh 1
       
Adobe Acrobat 11.0.11 Windows and Macintosh 1
  10.1.14 Windows and Macintosh 1

These updates address critical vulnerabilities in the software.

Details

Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address vulnerabilities that could potentially allow an attacker to take over the affected system.  Adobe recommends users update their product installations to the latest versions:

  • Users of Adobe Reader XI (11.0.10) and earlier versions should update to version 11.0.11.

  • Users of Adobe Reader X (10.1.13) and earlier versions should update to version 10.1.14.

  • Users of Adobe Acrobat XI (11.0.10) and earlier versions should update to version 11.0.11. 

  • Users of Adobe Acrobat X (10.1.13) and earlier versions should update to version 10.1.14.

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-3053, CVE-2015-3054, CVE-2015-3055, CVE-2015-3059, CVE-2015-3075).

These updates resolve heap-based buffer overflow vulnerabilities that could lead to code execution (CVE-2014-9160).

These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2015-3048).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-9161, CVE-2015-3046, CVE-2015-3049, CVE-2015-3050, CVE-2015-3051, CVE-2015-3052, CVE-2015-3056, CVE-2015-3057, CVE-2015-3070, CVE-2015-3076). 

These updates resolve a memory leak (CVE-2015-3058).  

These updates resolve various methods to bypass restrictions on Javascript API execution (CVE-2015-3060, CVE-2015-3061, CVE-2015-3062, CVE-2015-3063, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, CVE-2015-3074).

These updates resolves a null-pointer dereference issue that could lead to a denial-of-service condition (CVE-2015-3047). 

These updates provide additional hardening to protect against CVE-2014-8452, a vulnerability in the handling of XML external entities that could lead to information disclosure.  

Acknowledgements

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: 

  • AbdulAziz Hariri of HP Zero Day Initiative (CVE-2015-3053, CVE-2015-3055, CVE-2015-3057, CVE-2015-3058, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073) 

  • Alex Inführ of Cure53.de (CVE-2014-8452, CVE-2015-3076)  

  • Anonymously reported through Beyond Security's SecuriTeam Secure Disclosure  (CVE-2015-3075) 

  • bilou, working with HP Zero Day Initiative (CVE-2015-3059) 

  • Brian Gorenc of HP Zero Day Initiative (CVE-2015-3054, CVE-2015-3056, CVE-2015-3061, CVE-2015-3063, CVE-2015-3064)  

  • Dave Weinstein of HP Zero Day Initiative (CVE-2015-3069) 

  • instruder of Alibaba Security Research Team (CVE-2015-3070) 

  • lokihardt@asrt working with HP's Zero Day Initiative (CVE-2015-3074) 

  • Mateusz Jurczyk of Google Project Zero (CVE-2015-3049, CVE-2015-3050, CVE-2015-3051, CVE-2015-3052) 

  • Mateusz Jurczyk of Google Project Zero and Gynvael Coldwind of Google Security Team (CVE-2014-9160, CVE-2014-9161) 

  • Simon Zuckerbraun working with HP Zero Day Initiative (CVE-2015-3060, CVE-2015-3062) 

  • Wei Lei, as well as Wu Hongjun and Wang Jing of Nanyang Technological University (CVE-2015-3047) 

  • Wei Lei, as well as Wu Hongjun of Nanyang Technological University (CVE-2015-3046) 

  • Xiaoning Li of Intel Labs and Haifei Li of McAfee Labs IPS Team (CVE-2015-3048)