copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2011.1199 - ALERT [Win][UNIX/Linux] Adobe Reader & Acrobat: Execute arbitrary code/commands - Remote with user interaction

Date: 07 December 2011
References: ASB-2011.0109  ESB-2011.1264.2  ESB-2012.0047  ESB-2012.0046  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.1199
              Security Advisory for Adobe Reader and Acrobat
                              7 December 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Reader
                   Adobe Acrobat
Publisher:         Adobe
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Mitigation
CVE Names:         CVE-2011-2462  

Original Bulletin: 
   http://www.adobe.com/support/security/advisories/apsa11-04.html

Comment: There have been reports that the vulnerability in Adobe Reader 9.x is 
         being actively exploited in limited, targeted attacks in the wild.
         
         While no updates are currently available, Adobe is in the process 
         of finalizing a fix for the issue.
         
         An update is expected to be made available for Adobe Reader and 
         Acrobat 9.x for Windows no later than the week of December 12, 2011.
         
         Adobe Reader X Protected Mode and Adobe Acrobat X Protected View 
         would prevent an exploit of this kind from executing.
         
         An update is expected for Reader X & Acrobat X January 10, 2012.

- --------------------------BEGIN INCLUDED TEXT--------------------

Summary

A critical vulnerability has been identified in Adobe Reader X (10.1.1) 
and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 
9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for 
Windows and Macintosh. This vulnerability (CVE-2011-2462) could cause a crash 
and potentially allow an attacker to take control of the affected system. 
There are reports that the vulnerability is being actively exploited in 
limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.

We are in the process of finalizing a fix for the issue and expect to make 
available an update for Adobe Reader 9.x and Acrobat 9.x for Windows no later 
than the week of December 12, 2011. Because Adobe Reader X Protected Mode and 
Adobe Acrobat X Protected View would prevent an exploit of this kind from 
executing, we are currently planning to address this issue in Adobe Reader X 
and Acrobat X for Windows with the next quarterly security update for Adobe 
Reader and Acrobat, currently scheduled for January 10, 2012. We are planning 
to address this issue in Adobe Reader and Acrobat X and earlier versions for 
Macintosh as part of the next quarterly update scheduled for January 10, 2012. 
An update to address this issue in Adobe Reader 9.x for UNIX is planned for 
January 10, 2012. For further context on this schedule, please see the 
corresponding ASSET blog post.

Affected software versions

 * Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
 * Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and UNIX
 * Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
 * Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh

*Note: Adobe Reader for Android and Adobe Flash Player are not affected by this 
issue.

Mitigations

Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent 
an exploit of this kind from executing. To verify Protected View for Acrobat X 
is enabled, go to: Edit >Preferences > Security (Enhanced) and ensure "Files 
from potentially unsafe locations" or "All files" with "Enable Enhanced 
Security" are checked. To verify Protected Mode for Adobe Reader X is enabled, 
go to: Edit >Preferences >General and verify that "Enable Protected Mode at 
startup" is checked.

Severity rating

Adobe categorizes this as a critical issue.

Details

A critical vulnerability has been identified in Adobe Reader X (10.1.1) and 
earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x 
versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for 
Windows and Macintosh.

This U3D memory corruption vulnerability (CVE-2011-2462) could cause a crash 
and potentially allow an attacker to take control of the affected system. 
There are reports that the vulnerability is being actively exploited in the 
wild in limited, targeted attacks against Adobe Reader 9.x on Windows. Adobe 
Reader X Protected Mode and Acrobat X Protected View mitigations would prevent 
an exploit of this kind from executing.

We are in the process of finalizing a fix for the issue and expect to make 
available an update for Adobe Reader and Acrobat 9.x for Windows no later 
than the week of December 12, 2011.

Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View 
would prevent an exploit of this kind from executing, we are currently 
planning to address this issue in Adobe Reader X and Acrobat X for Windows 
with the next quarterly security update for Adobe Reader and Acrobat, 
currently scheduled for January 10, 2012. We are planning to address this 
issue in Adobe Reader and Acrobat X and earlier versions for Macintosh as part 
of the next quarterly update scheduled for January 10, 2012. An update to 
address this issue in Adobe Reader 9.x for UNIX is planned for January 10, 
2012. For further context on this schedule, please see the corresponding ASSET 
blog post.

Users may monitor the latest information on the Adobe Product Security Incident 
Response Team blog at http://blogs.adobe.com/psirt or by subscribing to the 
RSS feed at http://blogs.adobe.com/psirt/atom.xml.

Adobe actively shares information about this and other vulnerabilities with 
partners in the security community to enable them to quickly develop detection 
and quarantine methods to protect users until a patch is available. As always, 
Adobe recommends that users follow security best practices by keeping their 
anti-malware software and definitions up to date.

Acknowledgments

Adobe would like to thank Lockheed Martin CIRT and members of the Defense 
Security Information Exchange for reporting this issue and for working with 
Adobe to help protect our customers.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTt66tu4yVqjM2NGpAQI8FRAAia3tgVR0E9xvW1nLAObkPMeWh1JEfOkZ
AgoYGXb62rz/34IhRyM2yobY3KkiDKT/at7fJ5mMU1EeYTEY+G9A3/iu00ghnZdf
CovXDpU4H8IjUrer1OMdiFvHU/HLiyeZlMhLWePLdYy0dF2DiIoG7kwZcx69iibE
/kE+5LsV3nYsNg+uQF7X8Ynq1r99WkfvELVr42jkSaQN8382cGY0p1AGRm/pYopC
OT96927qGz5T0Orw/GRTrr3yz5cJQyQsrMCmKdp7EFzAdEBmZGP+mZKmXVW1Yn/W
4dll+S/aeWbW/IQQ4JJSDl0d/nTn8V28azBeinpAyxh2mV/JkF1PK5AuSYYmFjn9
sevzcPgLFhNHKn4FZ0XIBY4j0b5+fjSrICTwRNFZ7vW3VgHMY5uUHbMdFNCSuLPq
wQQlDcDL7ZrsBPsf09ddo7YftCvxNo8KMjpHWWJrleUgu+vlmvcruo+NPF867BHX
Cf3jiGD5KlVZsXmSPKNPNWg3VJTHp7s4Dr1I45/jI8a0KfDIxPFQs2MiQW+P/8yp
Tdg7rnYbqB7BUA0ZYRIIHtoD6ZD1YoT1vGmbNtzxSYDgbrdOopYtJZDwjmwmbb4x
hnOwDpFAxSEMgdvZIHv6Zj50/v8JJJvZOmF9BD3mxdTZBSxYckE1K9uMqhAzba6O
ZevrqlZaLsI=
=Cp7K
-----END PGP SIGNATURE-----