Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1867 Security Updates Available for Adobe Acrobat and Reader 15 July 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adobe Acrobat Adobe Reader Publisher: Adobe Operating System: Windows OS X Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Access Privileged Data -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-5115 CVE-2015-5114 CVE-2015-5113 CVE-2015-5111 CVE-2015-5110 CVE-2015-5109 CVE-2015-5108 CVE-2015-5107 CVE-2015-5106 CVE-2015-5105 CVE-2015-5104 CVE-2015-5103 CVE-2015-5102 CVE-2015-5101 CVE-2015-5100 CVE-2015-5099 CVE-2015-5098 CVE-2015-5097 CVE-2015-5096 CVE-2015-5095 CVE-2015-5094 CVE-2015-5093 CVE-2015-5092 CVE-2015-5091 CVE-2015-5090 CVE-2015-5089 CVE-2015-5088 CVE-2015-5087 CVE-2015-5086 CVE-2015-5085 CVE-2015-4452 CVE-2015-4451 CVE-2015-4450 CVE-2015-4449 CVE-2015-4448 CVE-2015-4447 CVE-2015-4446 CVE-2015-4445 CVE-2015-4444 CVE-2015-4443 CVE-2015-4441 CVE-2015-4438 CVE-2015-4435 CVE-2015-3095 CVE-2014-8450 CVE-2014-0566 Reference: ESB-2014.1607 Original Bulletin: https://helpx.adobe.com/security/products/reader/apsb15-15.html - --------------------------BEGIN INCLUDED TEXT-------------------- Adobe Security Bulletin Security Updates Available for Adobe Acrobat and Reader Release date: July 14, 2015 Vulnerability identifier: APSB15-15 Priority: See table below CVE numbers:CVE-2014-0566, CVE-2014-8450, CVE-2015-3095, CVE-2015-4435, CVE-2015-4438, CVE-2015-4441, CVE-2015-4443, CVE-2015-4444, CVE-2015-4445, CVE-2015-4446, CVE-2015-4447, CVE-2015-4448, CVE-2015-4449, CVE-2015-4450, CVE-2015-4451, CVE-2015-4452, CVE-2015-5085, CVE-2015-5086, CVE-2015-5087, CVE-2015-5088, CVE-2015-5089, CVE-2015-5090, CVE-2015-5091, CVE-2015-5092, CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015-5096, CVE-2015-5097, CVE-2015-5098, CVE-2015-5099, CVE-2015-5100, CVE-2015-5101, CVE-2015-5102, CVE-2015-5103, CVE-2015-5104, CVE-2015-5105, CVE-2015-5106, CVE-2015-5107, CVE-2015-5108, CVE-2015-5109, CVE-2015-5110, CVE-2015-5111, CVE-2015-5113, CVE-2015-5114, CVE-2015-5115 Platform: Windows and Macintosh Summary Adobe has released security updates for Adobe Acrobat and Reader for Windows and Macintosh. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Affected Versions Product Track Affected Versions Platform Acrobat DC Continuous 2015.007.20033 Windows and Macintosh Acrobat Reader DC Continuous 2015.007.20033 Windows and Macintosh Acrobat DC Classic 2015.006.30033 Windows and Macintosh Acrobat Reader DC Classic 2015.006.30033 Windows and Macintosh Acrobat XI N/A 11.0.11 and earlier versions Windows and Macintosh Acrobat X N/A 10.1.14 and earlier versions Windows and Macintosh Reader XI N/A 11.0.11 and earlier versions Windows and Macintosh Reader X N/A 10.1.14 and earlier versions Windows and Macintosh For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. For questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC FAQ page. Solution Adobe recommends users update their software installations to the latest versions via one of the following methods: Users can update their product installations manually by choosing Help > Check for Updates. The products will update automatically, without requiring user intervention, when updates are detected. The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center. For IT administrators (managed environments): Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers. Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on Macintosh, Apple Remote Desktop and SSH. Product Track Updated Versions Platform Priority Rating Availability Acrobat DC Continuous 2015.008.20082 Windows and Macintosh 2 Windows Macintosh Acrobat Reader DC Continuous 2015.008.20082 Windows and Macintosh 2 Download Center Acrobat DC Classic 2015.006.30060 Windows and Macintosh 2 Windows Macintosh Acrobat Reader DC Classic 2015.006.30060 Windows and Macintosh 2 Windows Macintosh Acrobat XI N/A 11.0.12 Windows and Macintosh 2 Windows Macintosh Acrobat X N/A 10.1.15 Windows and Macintosh 2 Windows Macintosh Reader XI N/A 11.0.12 Windows and Macintosh 2 Windows Macintosh Reader X N/A 10.1.15 Windows and Macintosh 2 Windows Macintosh Vulnerability Details These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2015-5093). These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-5096, CVE-2015-5098, CVE-2015-5105). These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-5087, CVE-2015-5094, CVE-2015-5100, CVE-2015-5102, CVE-2015-5103, CVE-2015-5104, CVE-2015-3095, CVE-2015-5115, CVE-2014-0566). These updates resolve an information leak vulnerability (CVE-2015-5107). These updates resolve security bypass vulnerabilities that could lead to information disclosure (CVE-2015-4449, CVE-2015-4450, CVE-2015-5088, CVE-2015-5089, CVE-2015-5092, CVE-2014-8450). These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2015-5110). These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-4448, CVE-2015-5095, CVE-2015-5099, CVE-2015-5101, CVE-2015-5111, CVE-2015-5113, CVE-2015-5114). These updates resolve validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2015-4446, CVE-2015-5090, CVE-2015-5106). These updates resolve a validation bypass issue that could be exploited to cause a denial-of-service condition on the affected system (CVE-2015-5091). These updates resolve integer overflow vulnerabilities that could lead to code execution (CVE-2015-5097, CVE-2015-5108, CVE-2015-5109). These updates resolve various methods to bypass restrictions on JavaScript API execution (CVE-2015-4435, CVE-2015-4438, CVE-2015-4441, CVE-2015-4445, CVE-2015-4447, CVE-2015-4451, CVE-2015-4452, CVE-2015-5085, CVE-2015-5086). These updates resolve null-pointer dereference issues that could lead to a denial-of-service condition (CVE-2015-4443, CVE-2015-4444). Acknowledgments Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: AbdulAziz Hariri and Jasiel Spelman of HP Zero Day Initiative (CVE-2015-5085, CVE-2015-5086, CVE-2015-5090, CVE-2015-5091) AbdulAziz Hariri of HP Zero Day Initiative (CVE-2015-4438, CVE-2015-4447, CVE-2015-4452, CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015-5101, CVE-2015-5102, CVE-2015-5103, CVE-2015-5104, CVE-2015-5113, CVE-2015-5114, CVE-2015-5115) Alex Infhr of Cure53.de (CVE-2015-4449, CVE-2015-4450, CVE-2015-5088, CVE-2015-5089, CVE-2014-8450) bilou working with VeriSign iDefense Labs (CVE-2015-4448, CVE-2015-5099) Brian Gorenc of HP Zero Day Initiative (CVE-2015-5100, CVE-2015-5111) Security Research Team at MWR Labs (@mwrlabs) (CVE-2015-4451) James Forshaw of Google Project Zero (CVE-2015-4446) Jihui Lu of KeenTeam (CVE-2015-5087) JinCheng Liu of the Alibaba Security Research Team (CVE-2015-5098) Jun Xie of the Alibaba Security Research Team (CVE-2015-5096, CVE-2015-5097, CVE-2015-5105) Keen Team working with HP's Zero Day Initiative (CVE-2015-5108) kernelsmith working with HP's Zero Day Initiative (CVE-2015-4435, CVE-2015-4441) Mateusz Jurczyk of Google Project Zero (CVE-2015-3095) Matt Molinyawe of HP Zero Day Initiative (CVE-2015-4445) Mauro Gentile of Minded Security (CVE-2015-5092) Nicolas Joly working with HP's Zero Day Initiative (CVE-2015-5106, CVE-2015-5107, CVE-2015-5109, CVE-2015-5110) Wei Lei and Wu Hongjun of Nanyang Technological University (CVE-2014-0566) Wu Ha of the Alibaba Security Research Team (CVE-2015-4443, CVE-2015-4444) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVaXCgn6ZAP0PgtI9AQKAGg/+NLWjTlApmqP+xh8a2GHtT30+sI5jZUNN 9E0JLVulfkvL/H4FwvqyFDCV5HmHc20Tkiq4IMFWhJXZacG5p0QnVjr/K2BL8TmE z0w1C1hUFCagh3OCX5fR8lCXTv7ih4tQ6WS4D1ZWxKg1bK43l1ErZSMQlggnBTwF zMBguP+lSQEWtbIjRarsS8rnUt6e9jcDOsKmeqDAOUwtF0vXB3JWrm/WcvZss5wz KJuEM6/cmWWN+PNZnIwHGTERNfi1S8UqhPI9SefW9yGhQ/qPa0kScMkMhcaD931+ 2+dnLcigpkQ6UNekK1RykzxkeIj7bqbBS/hvQEjr3JWUDjopuodmeuWVtS81F7eX Ps/cM4TSBmyW1o5h0sDOC0VCe+Gc8WRvtB3zpB9mrVMz3UkJ3SK17i9debCpPtTU lsuoVbYoHdi9TTLV5oK2jkI2+kZwoI9u2l+jN1v+7HQrsIsZ75mMEV0kAO1TCawi edErVMcxb55YlQwuRqh2CyxgVXRjGcecuLhJ0tFscjmy96p+u+MDeivQoJr4dfoX WqnOGG+l7ByCNLyLzxqD3zZwVogWCH1I1dq1ED3wY6Ky7YOcPgZzjSN9sIRa9bx4 4FZS4JDqgm3hN+zmXB+1CQDM+9nrn0yqec7NJQsuE1Z0Zh+kNndPgvJRmJwHTrKp Tpl+EwhJghU= =lmVh -----END PGP SIGNATURE-----