KLA10004 Multiple Adobe Acrobat & Reader vulnerabilities

Multiple serious vulnerabilities have been found in Adobe Reader & Adobe Acrobat versions X and XI. Malicious users can exploit these vulnerabilities to execute arbitrary code, bypass a sandbox protection, cause a denial of service or obtain sensitive information.

Below is a complete list of vulnerabilities

Vectors related to unknown can be exploited to bypass a sandbox protection mechanism, execute arbitrary code or cause a denial of service via heap-based buffer overflow, use-after-free and double free.

Vectors related to JavaScript API can be exploited to obtain sensitive information via a specially designed PDF

Vectors related to unknown API calls can be exploited to execute arbitrary code via unmapped memory access.

Original advisories

Adobe bulletin

Exploitation

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Adobe-Reader

Adobe-Acrobat

Adobe-Acrobat-X

Adobe-Acrobat-XI

CVE list

CVE-2014-0511 critical

CVE-2014-0521 warning

CVE-2014-0526 critical

CVE-2014-0525 critical

CVE-2014-0529 critical

CVE-2014-0527 critical

CVE-2014-0528 critical

CVE-2014-0522 critical

CVE-2014-0512 critical

CVE-2014-0524 critical

CVE-2014-0523 critical

Solution

Update to latest version

Reader

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

Affected Products

• Adobe Reader & Acrobat XI 11.0.06 and earlier versions for Windows and Macintosh,Adobe Reader & Acrobat X 10.1.9 and earlier versions for Windows and Macintosh.