Date: 27 April 2011
References: ESB-2011.0405 ESB-2011.0442
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0479
Security updates available for Adobe Reader and Acrobat
27 April 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Reader X
Acrobat X
Reader 9
Acrobat 9
Publisher: Adobe
Operating System: Windows
Mac OS X
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-0611 CVE-2011-0610
Reference: ESB-2011.0442
ESB-2011.0405
Original Bulletin:
http://www.adobe.com/support/security/bulletins/apsb11-08.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Security bulletin
Security updates available for Adobe Reader and Acrobat
Release date: April 21,2011
Vulnerability identifier: APSB11-08
CVE number: CVE-2011-0611, CVE-2011-0610
Platform: All Platforms
Summary
Critical vulnerabilities have been identified in Adobe Reader and
Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and
Macintosh operating systems. These vulnerabilities, including
CVE-2011-0611, as referenced in Security Advisory APSA11-02, could
cause a crash and potentially allow an attacker to take control of the
affected system. There are reports that one of the vulnerabilities,
CVE-2011-0611, is being actively exploited in the wild against both
Adobe Flash Player, and Adobe Reader and Acrobat, as well as via a
Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft
Excel (.xls) file delivered as an email attachment targeting the
Windows platform. Adobe Reader X Protected Mode mitigations would
prevent an exploit of this kind from executing.
Adobe recommends users of Adobe Reader X (10.0.2) for Macintosh update
to Adobe Reader X (10.0.3). For users of Adobe Reader 9.4.3 for
Windows and Macintosh, Adobe has made available the update, Adobe
Reader 9.4.4. Adobe recommends users of Adobe Acrobat X (10.0.2) for
Windows and Macintosh update to Adobe Acrobat X (10.0.3). Adobe
recommends users of Adobe Acrobat 9.4.3 for Windows and Macintosh
update to Adobe Acrobat 9.4.4. Because Adobe Reader X Protected Mode
would prevent exploits of the type targeting CVE-2011-0611 from
executing, we are currently planning to address these issues in Adobe
Reader X for Windows with the next quarterly security update for Adobe
Reader, currently scheduled for June 14, 2011. Today's security
updates are out-of-cycle updates.
Affected software versions
* Adobe Reader X (10.0.1) and earlier versions for Windows
* Adobe Reader X (10.0.2) and earlier versions for Macintosh
* Adobe Acrobat X (10.0.2) and earlier versions for Windows and
Macintosh
NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe
Reader and Acrobat 8.x are not affected by CVE-2011-0611.
Solution
Adobe recommends users update their software installations by
following the instructions below:
Adobe Reader
Users on Windows and Macintosh can utilize the product's update
mechanism. The default configuration is set to run automatic update
checks on a regular schedule. Update checks can be manually activated
by choosing Help > Check for Updates.
Adobe Reader 9.x users on Windows can also find the appropriate update
here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.
Adobe Reader 10.x and 9.x users on Macintosh can also find the
appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.
Because Adobe Reader X (10.x) Protected Mode would prevent an exploit
of this kind from executing, we are planning to address this issue in
Adobe Reader X for Windows with the next quarterly security update for
Adobe Reader, currently scheduled for June 14, 2011
Adobe Acrobat
Users can utilize the product's update mechanism. The default
configuration is set to run automatic update checks on a regular
schedule. Update checks can be manually activated by choosing Help >
Check for Updates.
Acrobat Standard and Pro 10.x and 9.x users on Windows can also find
the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.
Acrobat Pro Extended 9.x users on Windows can also find the
appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.
Acrobat Pro users on Macintosh can also find the appropriate update
here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.
Severity rating
Adobe categorizes these as critical updates and recommends
affected users update their installations to the newest versions.
Details
Critical vulnerabilities have been identified in Adobe Reader and
Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and
Macintosh operating systems. These vulnerabilities, including
CVE-2011-0611, as referenced in Security Advisory APSA11-02, could
cause a crash and potentially allow an attacker to take control of the
affected system. There are reports that one of the vulnerabilities,
CVE-2011-0611, There are reports that this vulnerability is being
actively exploited in the wild against both Adobe Flash Player, and
Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded
in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as
an email attachment targeting the Windows platform. Adobe Reader X
Protected Mode mitigations would prevent an exploit of this kind from
executing.
Adobe recommends users of Adobe Reader X (10.0.2) for Macintosh update
to Adobe Reader X (10.0.3). For users of Adobe Reader 9.4.3 for
Windows and Macintosh, Adobe has made available the update, Adobe
Reader 9.4.4. Adobe recommends users of Adobe Acrobat X (10.0.2) for
Windows and Macintosh update to Adobe Acrobat X (10.0.3). Adobe
recommends users of Adobe Acrobat 9.4.3 for Windows and Macintosh
update to Adobe Acrobat 9.4.4. Because Adobe Reader X Protected Mode
would prevent exploits of the type targeting CVE-2011-0611 from
executing, we are currently planning to address these issues in Adobe
Reader X for Windows with the next quarterly security update for Adobe
Reader, currently scheduled for June 14, 2011. Today's security
updates are out-of-cycle updates.
(Note: Adobe Reader for Android is not affected by these issues.)
These updates resolves a memory corruption vulnerability that could
lead to code execution (CVE-2011-0611).
These updates resolve a memory corruption vulnerability in the
CoolType library that could lead to code execution (CVE-2011-0610).
NOTE: Adobe is not aware of any exploits in the wild targeting
CVE-2011-0610.
Acknowledgements
Adobe would like to thank the following individuals and organizations
for reporting the relevant issues and for working with Adobe to help
protect our customers:
* Mila Parkour, http://contagiodump.blogspot.com (CVE-2011-0611)
* CERT Polska, http://www.cert.pl/ (CVE-2011-0610)
* Paul Baccas of Sophos (CVE-2011-0610
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFNt6DD/iFOrG6YcBERAtIIAJ0cXOqm0FCllRzAUaerio6fAGICBgCgoO71
2wgCqyhLDWbJ6P9Y/tQsFkg=
=6oYz
-----END PGP SIGNATURE-----
|