copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2009.1395 - ALERT [Win][UNIX/Linux] Adobe Reader and Adobe Acrobat: Multiple vulnerabilities

Date: 14 October 2009
References: AL-2007.0009  ESB-2007.0024  ESB-2007.0182  ESB-2009.1415  ESB-2009.1444  ESB-2009.1446  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2009.1395
          Security Updates Available for Adobe Reader and Acrobat
                              14 October 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Reader 9.1.3 and Acrobat 9.1.3 and prior
                   Adobe Reader 8.1.6 and Acrobat 8.1.6 and prior
                   Adobe Reader 7.1.3 and Acrobat 7.1.3 and prior
Publisher:         Adobe
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2009-3462 CVE-2009-3461 CVE-2009-3460
                   CVE-2009-3459 CVE-2009-3458 CVE-2009-3431
                   CVE-2009-2998 CVE-2009-2997 CVE-2009-2996
                   CVE-2009-2995 CVE-2009-2994 CVE-2009-2993
                   CVE-2009-2992 CVE-2009-2991 CVE-2009-2990
                   CVE-2009-2989 CVE-2009-2988 CVE-2009-2987
                   CVE-2009-2986 CVE-2009-2985 CVE-2009-2984
                   CVE-2009-2983 CVE-2009-2982 CVE-2009-2981
                   CVE-2009-2980 CVE-2009-2979 CVE-2009-2564
                   CVE-2007-0048 CVE-2007-0045 

Reference:         AL-2007.0009
                   ESB-2007.0182
                   ESB-2007.0024

Original Bulletin: 
   http://www.adobe.com/support/security/bulletins/apsb09-15.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Updates Available for Adobe Reader and Acrobat

Release date: October 13, 2009

Vulnerability identifier: APSB09-15

CVE number: CVE-2007-0048, CVE-2007-0045, CVE-2009-2564, CVE-2009-2979, 
CVE-2009-2980, CVE-2009-2981, CVE-2009-2982, CVE-2009-2983, CVE-2009-2984, 
CVE-2009-2985, CVE-2009-2986, CVE-2009-2987, CVE-2009-2988, CVE-2009-2989, 
CVE-2009-2990, CVE-2009-2991, CVE-2009-2992, CVE-2009-2993, CVE-2009-2994, 
CVE-2009-2995, CVE-2009-2996, CVE-2009-2997, CVE-2009-2998, CVE-2009-3431, 
CVE-2009-3458, CVE-2009-3459, CVE-2009-3460, CVE-2009-3461, CVE-2009-3462

Platform: All
Summary

Critical vulnerabilities have been identified in Adobe Reader 9.1.3 and Acrobat 
9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, 
and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These 
vulnerabilities could cause the application to crash and could potentially 
allow an attacker to take control of the affected system. This update 
represents the second quarterly security update for Adobe Reader and Acrobat.

Adobe recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier 
versions update to Adobe Reader 9.2 and Acrobat 9.2. Adobe recommends users of 
Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of 
Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader 
users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe 
Reader 8.1.7 and Adobe Reader 7.1.4 updates. Updates apply to all platforms: 
Windows, Macintosh and UNIX.

Affected software versions

Adobe Reader 9.1.3 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.1.3 and earlier versions for Windows and Macintosh
Solution

Adobe Reader

Adobe Reader users on Windows can find the appropriate update here: 
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can find the appropriate update here: 
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on UNIX can find the appropriate update here: 
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix.

Acrobat

Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can find the appropriate update here: 
http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows

Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.
Severity rating

Adobe categorizes this as a critical update.

Details

Critical vulnerabilities have been identified in Adobe Reader 9.1.3 and Acrobat 
9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, 
and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These 
vulnerabilities could cause the application to crash and could potentially 
allow an attacker to take control of the affected system. This update 
represents the second quarterly security update for Adobe Reader and Acrobat.

Adobe recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier 
versions update to Adobe Reader 9.2 and Acrobat 9.2. Adobe recommends users of 
Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of 
Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader 
users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe 
Reader 8.1.7 and Adobe Reader 7.1.4 updates. Updates apply to all platforms: 
Windows, Macintosh and UNIX.

This update resolves a heap overflow vulnerability that could lead to code 
execution (CVE-2009-3459).
NOTE: There are reports that this issue is being exploited in the wild, via 
limited, targeted attacks.

This update resolves a memory corruption issue that could potentially lead to 
code execution (CVE-2009-2985).

This update resolves multiple heap overflow vulnerabilities that could 
potentially lead to code execution (CVE-2009-2986).

This update resolves an invalid array index issue that could potentially lead 
to code execution (CVE-2009-2990).
NOTE: this issue is resolved in the Adobe Reader and Acrobat 9.2 and 8.1.7 
updates.

This update resolves a remote exploitation issue specific to the Mozilla 
plug-in that could potentially allow an attacker to execute arbitrary code with 
the privileges of the current user (CVE-2009-2991).
NOTE: this issue is resolved in the Adobe Reader and Acrobat 8.1.7 updates.

This update resolves multiple input validation vulnerabilities that could 
potentially lead to code execution (CVE-2009-2993).

This update resolves a buffer overflow issue that could potentially lead to 
code execution (CVE-2009-2994).

This update resolves a heap overflow vulnerability that could potentially lead 
to code execution (CVE-2009-2997).

This update resolves an input validation issue that could potentially lead to 
code execution (CVE-2009-2998).

This update resolves an input validation issue that could potentially lead to 
code execution (CVE-2009-3458).

This update resolves a memory corruption issue that could potentially lead to 
code execution. This issue is specific to Acrobat and does not affect Adobe 
Reader. (CVE-2009-3460).
NOTE: this issue is resolved in the Acrobat 9.2 and 8.1.7 updates.

This update resolves an integer overflow that could potentially lead to code 
execution. This issue is specific to Acrobat and does not affect Adobe Reader. 
(CVE-2009-2989).
NOTE: this issue is resolved in the Acrobat 9.2 and 8.1.7 updates.

This update resolves a memory corruption issue that leads to a Denial of 
Service (DoS); arbitrary code execution has not been demonstrated, but may be 
possible (CVE-2009-2983).
NOTE: this issue is resolved in the Adobe Reader and Acrobat 9.2 and 8.1.7 
updates.

This update resolves an integer overflow that leads to a Denial of Service 
(DoS); arbitrary code execution has not been demonstrated, but may be possible 
(CVE-2009-2980).

This update resolves a memory corruption issue that leads to a Denial of 
Service (DoS); arbitrary code execution has not been demonstrated, but may be 
possible (CVE-2009-2996).

This update resolves a Unix-only format bug when running in Debug mode that 
could lead to arbitrary code execution (CVE-2009-3462).

This update resolves an image decoder issue that leads to a Denial of Service 
(DoS); arbitrary code execution has not been demonstrated, but may be possible. 
This issue is specific to Acrobat and does not affect Adobe Reader. 
(CVE-2009-2984).
NOTE: this issue is resolved in the Acrobat 9.2 update.

This update resolves an input validation issue that could potentially lead to 
a bypass of Trust Manager restrictions (CVE-2009-2981).

This update resolves an issue that could allow a malicious user to bypass file 
extension security controls. This issue is specific to Acrobat 9.X. 
(CVE-2009-3461).

This update modifies a certificate that if compromised could potentially be 
used in a social engineering attack (CVE-2009-2982).
NOTE: this issue is resolved in the Adobe Reader and Acrobat 9.2 and 8.1.7 
updates.

This update resolves a stack overflow issue that could potentially lead to a 
Denial of Service (DoS) attack (CVE-2009-3431).
NOTE: this issue is resolved in the Adobe Reader and Acrobat 9.2 and 8.1.7 
updates.

This update resolves a XMP-XML entity expansion issue that could lead to a 
Denial of Service (DoS) attack (CVE-2009-2979).
NOTE: this issue is resolved in the Adobe Reader and Acrobat 9.2 and 8.1.7 
updates.

This update resolves a remote denial of service issue in the ActiveX control 
specific to the Windows OS (CVE-2009-2987).

This update resolves an input validation issue that could lead to a Denial of 
Service (DoS) issue (CVE-2009-2988).

This update resolves an input validation issue specific to the ActiveX control 
that could lead to a Denial of Service (DoS) attack (CVE-2009-2992).
NOTE: this issue is resolved in the Adobe Reader and Acrobat 9.2 and 8.1.7 
updates.

This update resolves an integer overflow in that leads to a Denial of Service 
(DoS). This issue is specific to Acrobat and does not affect Adobe Reader. 
(CVE-2009-2995).

This update resolves a third party web download product that Adobe Reader uses 
that could potentially lead to local privilege escalation (CVE-2009-2564).

This update resolves a cross-site scripting issue when the browser plugin is 
used with Google Chrome and Opera browsers (CVE-2007-0048, CVE-2007-0045)
Acknowledgments

Adobe would like to thank the following individuals and organizations for 
reporting the relevant issues and for working with Adobe to help protect our 
customers security:

    * Michael Schmidt of Compass Security (http://www.csnc.ch) (CVE-2007-0048, 
      CVE-2007-0045)
    * Didier Stevens (CVE-2009-2979)
    * Drew Yao of Apple Product Security 
      (http://www.apple.com/support/security/)(CVE-2009-2980)
    * Stefano Di Paola of Minded Security (http://www.mindedsecurity.com/) 
      (CVE-2009-2981)
    * Guillaume Delugr and Frdric Raynal of SOGETI ESEC 
      (http://esec.fr.sogeti.com/) (CVE-2009-2982, CVE-2009-3461, 
      CVE-2009-3462)
    * SkyLined of Google Inc. (http://skypher.com/SkyLined) (CVE-2009-2983)
    * Tavis Ormandy, Google Security Team 
      (http://www.google.com/corporate/security.html) (CVE-2009-2984)
    * An anonymous researcher reported through TippingPoints Zero Day 
      Initiative (http://www.zerodayinitiative.com/) (CVE-2009-2985)
    * Will Dormann, CERT (http://www.cert.org/) (CVE-2009-2986)
    * Zhenhua Liu and Xiaopeng Zhang of Fortinet's FortiGuard Global Security 
      Research Team (http://www.fortiguardcenter.com) (CVE-2009-2987, 
      CVE-2009-2988, CVE-2009-2996)
    * Tielei Wang from ICST-ERCIS (Engineering Research Center of Info 
      Security, Institute of Computer Science & Technology, Peking University / 
      China) (CVE-2009-2989, CVE-2009-2995)
    * Dionysus Blazakis through iDefense's Vulnerability Contributor Program 
      (http://www.idefense.com/vcp/) (CVE-2009-2990)
    * Elazar Broad through iDefense's Vulnerability Contributor Program 
      (http://www.idefense.com/vcp/) (CVE-2009-2991)
    * David Soldera of Next Generation Security Software 
      (http://www.ngssoftware.com/) (CVE-2009-2992)
    * IOActive (http://www.ioactive.com/) (CVE-2009-2993)
    * Felipe Andres Manzano through the iSIGHT Partners GVP 
      (https://gvp.isightpartners.com) (CVE-2009-2994)
    * Nicolas Joly of VUPEN Security (http://www.vupen.com ) (CVE-2009-2997, 
      CVE-2009-2998, CVE-2009-3458)
    * Chia-Ching Fang of the Information and Communication Security Technology 
      Center (http://www.icst.org.tw) (CVE-2009-3459)
    * Haifei Li of Fortinet's FortiGuard Global Security Research Team 
      (http://www.fortiguardcenter.com/) (CVE-2009-3460)

Revisions

October 13, 2009 - Bulletin updated with details
October 8, 2009 - Advisory released

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFK1RiHNVH5XJJInbgRAioiAJ4/aoPXp8c/A9CtvunxfGyDG+8orgCfXSWO
piNSM+BzDIzZGgFZxZqSUR8=
=whZb
-----END PGP SIGNATURE-----