Operating System:

[WIN]

Published:

11 October 2013

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2013.1420.2 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2013.1420.2
          Security updates available for Adobe Reader and Acrobat
                              11 October 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Reader
                   Adobe Acrobat
Publisher:         Adobe
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-5325  

Original Bulletin: 
   https://www.adobe.com/support/security/bulletins/apsb13-25.html

Revision History:  October 11 2013: removed MAC OS X
                   October  9 2013: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Security updates available for Adobe Reader and Acrobat

Release date: October 8, 2013

Vulnerability identifier: APSB13-25

Priority: See table below

CVE number: CVE-2013-5325

Platform: Windows

SUMMARY

Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.04) 
for Windows.  These updates address a regression that occurred in version 
11.0.04 affecting Javascript security controls.  Adobe Reader and Acrobat X 
(10.1.8) and earlier versions for Windows are not affected, and all versions 
of Adobe Reader and Acrobat for Macintosh are also not affected by this 
vulnerability.  

Adobe recommends users update their product installations to the latest 
versions:
- - Users of Adobe Reader XI (11.0.04) for Windows should update to Adobe Reader 
XI (11.0.05).
- - Users of Adobe Acrobat XI (11.0.04) for Windows should update to Adobe 
Acrobat XI (11.0.05).

AFFECTED SOFTWARE VERSIONS

- - Adobe Reader XI (11.0.04) for Windows
- - Adobe Acrobat XI (11.0.04) for Windows

SOLUTION

Adobe recommends users update their software installations by following the 
instructions below:

Adobe Reader

Users on Windows can utilize the product's update mechanism. The default 
configuration is set to run automatic update checks on a regular schedule.  
Update checks can be manually activated by choosing Help > Check for Updates.

Adobe Reader users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Acrobat

Users can utilize the product's update mechanism. The default configuration is 
set to run automatic update checks on a regular schedule.  Update checks can be 
manually activated by choosing Help > Check for Updates.

Acrobat Standard and Pro users on Windows can also find the appropriate update 
here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can also find the appropriate update 
here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

PRIORITY AND SEVERITY RATINGS

Adobe categorizes these updates with the following priority ratings and 
recommends users update their installations to the newest versions:

Product		Updated Version	Platform	Priority rating
Adobe Reader	XI (11.0.05)	Windows		2
Adobe Acrobat	XI (11.0.05)	Windows		2
 	 	 	 
These updates address a critical vulnerability in the software.

DETAILS

Adobe has released a security update for Adobe Reader and Acrobat XI (11.0.04) 
for Windows.  This update addresses a regression that occurred in version 
11.0.04 affecting Javascript security controls.  Adobe Reader and Acrobat X 
(10.1.8) and earlier versions for Windows are not affected, and all versions 
of Adobe Reader and Acrobat for Macintosh are also not affected by this 
vulnerability. 

Adobe recommends users update their product installations to the latest 
versions:
- - Users of Adobe Reader XI (11.0.04) for Windows should update to Adobe Reader 
XI (11.0.05).
- - Users of Adobe Acrobat XI (11.0.04) for Windows should update to Adobe 
Acrobat XI (11.0.05).

This update resolves a regression that permitted the launch of javacript 
scheme URIs when viewing a PDF in a browser (CVE-2013-5325).

ACKNOWLEDGEMENTS

Adobe would like to thank Mario Heiderich for reporting this issue 
(CVE-2013-5325) and for working with Adobe to help protect our customers.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUleNhRLndAQH1ShLAQKXuRAAo5bivcaGKaAybofx9mQauqoWOGdOovMx
qCNf25fgIvtl/XWRJBGVA+QQjIMWHVhA/u2+6LgRAcDa5DE+GgmE29vtgSR9Kb4q
JnvdifOCbyNC+TydNNiFIMVUDDi0lgSVSVVEwyj4gqNgBrVmN9A2LBcX4Mepbrpg
X1vAG/p5TQlpqlWoOGqUu/01UU9cPkSTminQcMxX5IPZdhF/CM49tGtXYj623LCV
VJvp7xxPci/2wpxL0WJ1dAafKC1ZWqIEOCx09Yn9/+vvAQJA/fkm07UHVdKaDaT/
fR8wLIjEEWdyn95f9Xnt6ywf3RCzSniLTgZq0iBrrP+0AwXeOnII8wpdnWETMc+5
p1+ZksZRb5b55vLqNnOWN06DNTLliJIDE/vf5PKnPXI5TvwPhZbKQh3jGWNqL3nL
L/doagn7hkbsd9buYXdSogNwGlUGkwHqZVk36b4Hs2DKSxrD6F1i6hUrHSVryRui
itZti1yy9x7tTO6jYYCM8JVj3pemJAAYxUW6WuPxDOJFxsPFKMBVwgL/rwKc6RwL
kxYsCIMKBl6/Hv2kOQuL+zx25iEUMtCTpC7M32nz/+RJhVizSh5PVqTWLoG3Gd3q
X+Bhil+m1K9LRzvzUdgyKTTOPt7Lx8XaIyMLtT3O+sUIK0hjvlGV3zhWBRGtoGFI
1faPowxb07E=
=705a
-----END PGP SIGNATURE-----