فا

‫ Adobe Reader / Acrobat Multiple Vulnerabilities


ID: IRCAD2015104109

Release Date: 2015-10-13

Software:

Adobe Acrobat DC 15.x

Adobe Acrobat Reader DC 15.x

Adobe Acrobat X 10.x

Adobe Acrobat XI 11.x

Adobe Reader X 10.x

Adobe Reader XI 11.x

Description:

Multiple vulnerabilities have been reported in Adobe Reader and Adobe Acrobat, which can be exploited by malicious people to disclose potentially sensitive information, bypass certain security restrictions, and compromise a user's system.

1) An error can be exploited to cause a buffer overflow and subsequently disclose certain information.

2) A use-after-free error when handling the WillSave document action can be exploited to corrupt memory.

3) A use-after-free error when handling OCG objects within the WillSave document action can be exploited to corrupt memory.

4) A use-after-free error within the "popUpMenuEx()" method can be exploited to corrupt memory.

5) A use-after-free error when handling PDF documents with media content related to the saving of a PDF document can be exploited to corrupt memory via a specially crafted PDF document.

6) A use-after-free error within the EScript exception handlers can be exploited to corrupt memory via a specially crafted PDF document.

7) A use-after-free error can be exploited to corrupt memory.

8) Another use-after-free error can be exploited to corrupt memory.

9) Another use-after-free error can be exploited to corrupt memory.

10) A use-after-free error when handling U3D objects can be exploited to corrupt memory.

11) A use-after-free error can be exploited to corrupt memory.

12) Another use-after-free error can be exploited to corrupt memory.

13) An error can be exploited to cause a heap-based buffer overflow.

14) An error related to AcroForm can be exploited to cause a heap-based buffer overflow.

15) A use-after-free error when handling certain fields related to the Format action can be exploited to corrupt memory via a specially crafted PDF document.

16) A use-after-free error when handling the "signatureSetSeedValue()" method can be exploited to corrupt memory.

17) An error when handling the fillColor attribute can be exploited to corrupt memory.

18) A use-after-free error when handling the value attribute related to listbox can be exploited to corrupt memory.

19) A use-after-free error when handling certain fields can be exploited to corrupt memory via a specially crafted PDF document.

20) An unspecified error can be exploited to corrupt memory.

Successful exploitation of the vulnerabilities #2 through #‫20 may allow execution of arbitrary code.

21) An error when handling excess values within the "addForegroundSprite()" function can be exploited to disclose certain information.

22) An error when handling excess values within the "setBackground()" function can be exploited to disclose certain information.

23) An error when handling excess values related to the ambientIlluminationColor property can be exploited to disclose certain information.

24) An error when handling excess values within the "createSquareMesh()" function can be exploited to disclose certain information.

25) An error when handling excess values within the "loadFlashMovie()" function can be exploited to disclose certain information.

26) An error when handling excess values related to the animations property can be exploited to disclose certain information.

27) An error within the implementation of color objects in light objects can be exploited to disclose the heap address of a color object.

28) An error related to Acrobat Reader printing can be exploited to bypass certain security restrictions and subsequently disclose certain otherwise restricted information by printing to otherwise restricted PDF files to remote printers.

29) An error can be exploited to bypass certain security restrictions and subsequently disclose certain otherwise restricted information.

30) Another error can be exploited to bypass certain security restrictions and subsequently disclose certain otherwise restricted information.

31) Another error can be exploited to bypass certain security restrictions and subsequently disclose certain otherwise restricted information.

32) An error when handling JavaScript instructions within the "ANSendForReview()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

33) An error when handling JavaScript instructions within the "ANStartApproval()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

34) An error when handling JavaScript instructions within the "CBBBRInvite()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

35) An error when handling JavaScript instructions within the "CBBBRInit()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

36) An error when handling JavaScript instructions within the "DoIdentityDialog()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

37) An error when handling JavaScript instructions within the "ANSendApprovalToAuthorEnabled()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

38) An error when handling URLs related "toapp.launchURL()" method can be exploited to bypass certain JavaScript API execution restrictions.

39) An error when handling JavaScript instructions within the "ANVerifyComments()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

40) An error when handling JavaScript instructions within the "ANSendForFormDistribution()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

41) An error when handling JavaScript instructions within the "DynamicAnnotStore()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

42) An error when handling JavaScript instructions within the "CBSharedReviewIfOfflineDialog()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

43) An error when handling JavaScript instructions within the "CBSharedReviewCloseDialog()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

44) An error when handling JavaScript instructions within the "ANRunSharedReviewEmailStep()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

45) An error when handling JavaScript instructions within the "CBSharedReviewSecurityDialog()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

46) An error when handling JavaScript instructions within the "CBSharedReviewStatusDialog()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

47) An error when handling JavaScript instructions within the "ANTrustPropagateAll()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

48) An error when handling JavaScript instructions within the "ANSendForApproval()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

49) An error when handling JavaScript instructions within the "ANSendForSharedReview()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

50) An error when handling JavaScript instructions within the "CBAutoConfigCommentRepository()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

51) An error when handling JavaScript instructions within the "ANShareFile2()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

52) An error when handling JavaScript instructions within the "ANSendForBrowserReview()" method can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

53) An error when handling JavaScript instructions within the "ANAuthenticateResource()" method of Function objects can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

54) An error when handling JavaScript instructions within the "call()" method of Function objects can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

55) An error when handling JavaScript instructions within the "bind()" method of Function objects can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

56) An error when handling JavaScript instructions within the "apply()" method of Function objects can be exploited to bypass certain JavaScript API execution restrictions via a specially crafted PDF document containing JavaScript instructions.

Please see the vendor's advisory for a list of affected products and versions.

Solution

Update to a fixed version. Please see the vendor's advisory for details.

References:

APSB15-24:

https://helpx.adobe.com/security/products/acrobat/apsb15-24.html

ZDI:

http://www.zerodayinitiative.com/advisories/ZDI-15-466/

http://www.zerodayinitiative.com/advisories/ZDI-15-467/

http://www.zerodayinitiative.com/advisories/ZDI-15-468/

http://www.zerodayinitiative.com/advisories/ZDI-15-469/

http://www.zerodayinitiative.com/advisories/ZDI-15-470/

http://www.zerodayinitiative.com/advisories/ZDI-15-471/

http://www.zerodayinitiative.com/advisories/ZDI-15-472/

http://www.zerodayinitiative.com/advisories/ZDI-15-473/

http://www.zerodayinitiative.com/advisories/ZDI-15-474/

http://www.zerodayinitiative.com/advisories/ZDI-15-475/

http://www.zerodayinitiative.com/advisories/ZDI-15-476/

http://www.zerodayinitiative.com/advisories/ZDI-15-477/

http://www.zerodayinitiative.com/advisories/ZDI-15-478/

http://www.zerodayinitiative.com/advisories/ZDI-15-479/

http://www.zerodayinitiative.com/advisories/ZDI-15-480/

http://www.zerodayinitiative.com/advisories/ZDI-15-481/

http://www.zerodayinitiative.com/advisories/ZDI-15-482/

http://www.zerodayinitiative.com/advisories/ZDI-15-483/

http://www.zerodayinitiative.com/advisories/ZDI-15-484/

http://www.zerodayinitiative.com/advisories/ZDI-15-485/

http://www.zerodayinitiative.com/advisories/ZDI-15-486/

http://www.zerodayinitiative.com/advisories/ZDI-15-487/

http://www.zerodayinitiative.com/advisories/ZDI-15-488/

http://www.zerodayinitiative.com/advisories/ZDI-15-489/

http://www.zerodayinitiative.com/advisories/ZDI-15-490/

http://www.zerodayinitiative.com/advisories/ZDI-15-491/

http://www.zerodayinitiative.com/advisories/ZDI-15-492/

http://www.zerodayinitiative.com/advisories/ZDI-15-493/

http://www.zerodayinitiative.com/advisories/ZDI-15-494/

http://www.zerodayinitiative.com/advisories/ZDI-15-495/

http://www.zerodayinitiative.com/advisories/ZDI-15-496/

http://www.zerodayinitiative.com/advisories/ZDI-15-497/

http://www.zerodayinitiative.com/advisories/ZDI-15-498/

http://www.zerodayinitiative.com/advisories/ZDI-15-499/

http://www.zerodayinitiative.com/advisories/ZDI-15-500/

http://www.zerodayinitiative.com/advisories/ZDI-15-501/

http://www.zerodayinitiative.com/advisories/ZDI-15-502/

http://www.zerodayinitiative.com/advisories/ZDI-15-503/

http://www.zerodayinitiative.com/advisories/ZDI-15-504/

http://www.zerodayinitiative.com/advisories/ZDI-15-505/

http://www.zerodayinitiative.com/advisories/ZDI-15-506/

http://www.zerodayinitiative.com/advisories/ZDI-15-507/

http://www.zerodayinitiative.com/advisories/ZDI-15-508/

http://www.zerodayinitiative.com/advisories/ZDI-15-509/

http://www.zerodayinitiative.com/advisories/ZDI-15-510/

Secunia:

https://secunia.com/advisories/66814/

 

 

 


نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 27 مهر 1394

امتیاز

امتیاز شما
تعداد امتیازها: 0