Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Multiple Vulnerabilities in Adobe Reader and Adobe Acrobat

 

Systems Affected


• Adobe Flash Player 14.0.0.179 and earlier versions
• Adobe Reader XI (11.0.08) and earlier 11.x versions for Windows
• Adobe Reader XI (11.0.07) and earlier 11.x versions for Macintosh
• Adobe Reader X (10.1.11) and earlier 10.x versions for Windows
• Adobe Reader X (10.1.10) and earlier 10.x versions for Macintosh
• Adobe Acrobat XI (11.0.08) and earlier 11.x versions for Windows
• Adobe Acrobat XI (11.0.07) and earlier 11.x versions for Macintosh
• Adobe Acrobat X (10.1.11) and earlier 10.x versions for Windows
• Adobe Acrobat X (10.1.10) and earlier 10.x versions for Macintosh

Threat Level


High


Overview


Multiple vulnerabilities have been reported in Adobe Reader and Adobe Acrobat which could allow an unauthenticated remote attacker to execute arbitrary code, bypass security restrictions, conduct cross-site scripting attacks, or cause a denial of service condition on the affected system.


Description


1. Use-after-free Vulnerability (CVE-2014-0560)
Use-After-Free Vulnerability has been reported in Adobe Reader and Adobe Acrobat. Attackers could exploit this vulnerability via unspecified vectors. Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code on the targeted system.

2. Cross-site-scripting vulnerability (CVE-2014-0562)
This vulnerability is caused due to improper input validation in Adobe Reader and Adobe Acrobat on Macintosh. Remote attackers could exploit this vulnerability by enticing a user to visit a malicious web page containing specially crafted content leading to injection or execution of arbitrary script code or HTML in users browser. Successful exploitation of this vulnerability could allow remote attackers to steal cookie-based authentication credentials and conduct cross-site-scripting attacks.

3. Memory Corruption vulnerabilities (CVE-2014-0563 CVE-2014-0565 CVE-2014-0566)
These vulnerabilities are caused due to improper user supplied input sanitization in Adobe Reader and Adobe Acrobat. Remote attackers could exploit these vulnerabilities via unspecified vectors. Successful exploitation of these vulnerabilities could allow remote attackers to execute arbitrary code or cause denial of service conditions (memory Corruption) on the affected system.

4. Heap-based buffer Overflow Vulnerabilities (CVE-2014-0561 CVE-2014-0567)
These vulnerabilities are caused due to improper user-supplied input validation in Adobe Reader and Adobe Acrobat. A remote attacker could exploit these vulnerabilities by enticing a user to open specially crafted PDF file leading to overflow condition in 3DIF plug-in. Successful exploitation of these vulnerabilities could allow remote attackers to cause heap based buffer overflow conditions resulting in arbitrary code execution on the affected system.

5. Security Bypass Vulnerability (CVE-2014-0568)
Sandbox Protection Bypass Vulnerability has been reported in Adobe Reader and Adobe Acrobat on windows. Successful exploitation of this vulnerability could allow remote attackers to bypass sandbox protection mechanism and execute arbitrary code with the elevated privileges on the affected system via unspecified vectors.


Impact



Solution/ Workarounds


Apply appropriate patches as mentioned in Adobe Security Bulletin APSB14-20


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.