Security updates available for Adobe Reader and Acrobat

2010-10-06T00:00:00
ID SECURITYVULNS:DOC:24840
Type securityvulns
Reporter Securityvulns
Modified 2010-10-06T00:00:00

Description

Security updates available for Adobe Reader and Acrobat

Release date: October 5, 2010

Vulnerability identifier: APSB10-21

CVE Numbers: CVE-2010-2883, CVE-2010-2884, CVE-2010-2887, CVE-2010-2888, CVE-2010-2889, CVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3621, CVE-2010-3622, CVE-2010-3623, CVE-2010-3624, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627, CVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3631, CVE-2010-3632, CVE-2010-3656, CVE-2010-3657, CVE-2010-3658

Platform: All Platforms Summary

Critical vulnerabilities have been identified in Adobe Reader 9.3.4 (and earlier versions) for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.4 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.4 (and earlier versions) and Adobe Acrobat 8.2.4 (and earlier versions) for Windows and Macintosh. These vulnerabilities, including CVE-2010-2883, referenced in Security Advisory APSA10-02, and CVE-2010-2884 referenced in the Adobe Flash Player Security Bulletin APSB10-22, could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.4. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.4, Adobe has provided the Adobe Reader 8.2.5 update.) Adobe recommends users of Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4. Adobe recommends users of Adobe Acrobat 8.2.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.5.

Note that the October 5, 2010 updates represent an accelerated release of the next quarterly security update originally scheduled for October 12, 2010. With this accelerated schedule, Adobe will not release additional updates for Adobe Reader and Acrobat on October 12, 2010. The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011. Affected software versions

* Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
* Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh

SOLUTION

Adobe recommends users update their software installations by following the instructions below:

Adobe Reader Users on Windows and Macintosh can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Adobe Reader users on Windows can also find the appropriate update here: http://get.adobe.com/reader/.

Adobe Reader users on Macintosh can also find the appropriate update here: http://get.adobe.com/reader/.

Adobe Reader users on UNIX can find the appropriate update here: ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.4.0. Note: Adobe Reader 9.4 for UNIX will be available from the Adobe Reader Download Center at http://get.adobe.com/reader/ by October 21, 2010.

Adobe Acrobat Users can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Acrobat Standard and Pro users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.

Acrobat 3D users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh. Severity rating

Adobe categorizes these as critical updates and recommends that users apply the latest updates for their product installations by following the instructions in the "Solution" section above. DETAILS

Critical vulnerabilities have been identified in Adobe Reader 9.3.4 (and earlier versions) for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.4 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.4 (and earlier versions) and Adobe Acrobat 8.2.4 (and earlier versions) for Windows and Macintosh. These vulnerabilities, including CVE-2010-2883, referenced in Security Advisory APSA10-02, and CVE-2010-2884 referenced in the Adobe Flash Player Security Bulletin APSB10-22, could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.4. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.4, Adobe has provided the Adobe Reader 8.2.5 update.) Adobe recommends users of Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4. Adobe recommends users of Adobe Acrobat 8.2.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.5.

This update resolves a font-parsing input validation vulnerability that could lead to code execution (CVE-2010-2883). Note: There are reports that this issue is being actively exploited in the wild.

This update resolves a memory corruption vulnerability in the authplay.dll component that could lead to code execution (CVE-2010-2884).

This update resolves multiple potential Linux-only privilege escalation issues (CVE-2010-2887).

This update resolves multiple input validation errors that could lead to code execution (Windows, ActiveX only) (CVE-2010-2888).

This update resolves a font-parsing input validation vulnerability that could lead to code execution (CVE-2010-2889).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2890).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3619).

This update resolves an image-parsing input validation vulnerability that could lead to code execution (CVE-2010-3620).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3621).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3622).

This update resolves a memory corruption vulnerability that could lead to code execution (Macintosh platform only) (CVE-2010-3623).

This update resolves an image-parsing input validation vulnerability that could lead to code execution (Macintosh platform only) (CVE-2010-3624).

This update resolves a prefix protocol handler vulnerability that could lead to code execution (CVE-2010-3625).

This update resolves a font-parsing input validation vulnerability that could lead to code execution (CVE-2010-3626).

This update resolves an input validation vulnerability that could lead to code execution (CVE-2010-3627).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3628).

This update resolves an image-parsing input validation vulnerability that could lead to code execution (CVE-2010-3629).

This update resolves a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-3630).

This update resolves an array-indexing vulnerability that could lead to code execution (Macintosh platform only) (CVE-2010-3631).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3632).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3658)

This update resolves a denial of service issue (CVE-2010-3656).

This update resolves a denial of service issue (CVE-2010-3657). ACKNOWLEDGMENTS

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

    * Report submitted by Red Hat Security Response Team (CVE-2010-2887)
    * Tavis Ormandy of the Google Security Team (CVE-2010-2888, CVE-2010-2889, CVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3626, CVE-2010-3658)
    * Sebastian Apelt through TippingPoint's Zero Day Initiative (CVE-2010-3621, CVE-2010-3622)
    * James Quirk of Los Alamos, New Mexico (CVE-2010-3623)
    * Felipe Andres Manzano through the iSIGHT Partners Global Vulnerability Partnership (CVE-2010-3624)
    * Billy Rios from the Google Security Team (CVE-2010-3625)
    * Ricardo Narvaja of Core Security Technologies (CVE-2010-3627)
    * Bing Liu of Fortinet's FortiGuard Labs (CVE-2010-3628)
    * Will Dormann of CERT (CVE-2010-3629)
    * Brett Gervasoni of Sense of Security (CVE-2010-3630)
    * Knud Erik Højgaard of nSense Vulnerability Research Team (CVE-2010-3631)
    * An anonymous reporter through TippingPoint's Zero Day Initiative (CVE-2010-3632)