Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.1867
Security Updates Available for Adobe Acrobat and Reader
15 July 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Acrobat
Adobe Reader
Publisher: Adobe
Operating System: Windows
OS X
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Access Privileged Data -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2015-5115 CVE-2015-5114 CVE-2015-5113
CVE-2015-5111 CVE-2015-5110 CVE-2015-5109
CVE-2015-5108 CVE-2015-5107 CVE-2015-5106
CVE-2015-5105 CVE-2015-5104 CVE-2015-5103
CVE-2015-5102 CVE-2015-5101 CVE-2015-5100
CVE-2015-5099 CVE-2015-5098 CVE-2015-5097
CVE-2015-5096 CVE-2015-5095 CVE-2015-5094
CVE-2015-5093 CVE-2015-5092 CVE-2015-5091
CVE-2015-5090 CVE-2015-5089 CVE-2015-5088
CVE-2015-5087 CVE-2015-5086 CVE-2015-5085
CVE-2015-4452 CVE-2015-4451 CVE-2015-4450
CVE-2015-4449 CVE-2015-4448 CVE-2015-4447
CVE-2015-4446 CVE-2015-4445 CVE-2015-4444
CVE-2015-4443 CVE-2015-4441 CVE-2015-4438
CVE-2015-4435 CVE-2015-3095 CVE-2014-8450
CVE-2014-0566
Reference: ESB-2014.1607
Original Bulletin:
https://helpx.adobe.com/security/products/reader/apsb15-15.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Adobe Security Bulletin
Security Updates Available for Adobe Acrobat and Reader
Release date: July 14, 2015
Vulnerability identifier: APSB15-15
Priority: See table below
CVE numbers:CVE-2014-0566, CVE-2014-8450, CVE-2015-3095, CVE-2015-4435,
CVE-2015-4438, CVE-2015-4441, CVE-2015-4443, CVE-2015-4444, CVE-2015-4445,
CVE-2015-4446, CVE-2015-4447, CVE-2015-4448, CVE-2015-4449, CVE-2015-4450,
CVE-2015-4451, CVE-2015-4452, CVE-2015-5085, CVE-2015-5086, CVE-2015-5087,
CVE-2015-5088, CVE-2015-5089, CVE-2015-5090, CVE-2015-5091, CVE-2015-5092,
CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015-5096, CVE-2015-5097,
CVE-2015-5098, CVE-2015-5099, CVE-2015-5100, CVE-2015-5101, CVE-2015-5102,
CVE-2015-5103, CVE-2015-5104, CVE-2015-5105, CVE-2015-5106, CVE-2015-5107,
CVE-2015-5108, CVE-2015-5109, CVE-2015-5110, CVE-2015-5111, CVE-2015-5113,
CVE-2015-5114, CVE-2015-5115
Platform: Windows and Macintosh
Summary
Adobe has released security updates for Adobe Acrobat and Reader for Windows
and Macintosh. These updates address critical vulnerabilities that could
potentially allow an attacker to take control of the affected system.
Affected Versions
Product Track Affected Versions Platform
Acrobat DC Continuous 2015.007.20033 Windows and Macintosh
Acrobat Reader DC Continuous 2015.007.20033 Windows and Macintosh
Acrobat DC Classic 2015.006.30033 Windows and Macintosh
Acrobat Reader DC Classic 2015.006.30033 Windows and Macintosh
Acrobat XI N/A 11.0.11 and earlier versions Windows and Macintosh
Acrobat X N/A 10.1.14 and earlier versions Windows and Macintosh
Reader XI N/A 11.0.11 and earlier versions Windows and Macintosh
Reader X N/A 10.1.14 and earlier versions Windows and Macintosh
For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. For
questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC FAQ
page.
Solution
Adobe recommends users update their software installations to the latest
versions via one of the following methods:
Users can update their product installations manually by choosing Help >
Check for Updates.
The products will update automatically, without requiring user
intervention, when updates are detected.
The full Acrobat Reader installer can be downloaded from the Acrobat
Reader Download Center.
For IT administrators (managed environments):
Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or
refer to the specific release note version for links to installers.
Install updates via your preferred methodology, such as AIP-GPO,
bootstrapper, SCUP/SCCM (Windows), or on Macintosh, Apple Remote Desktop and
SSH.
Product Track Updated Versions Platform Priority Rating Availability
Acrobat DC Continuous 2015.008.20082 Windows and Macintosh 2 Windows
Macintosh
Acrobat Reader DC Continuous 2015.008.20082 Windows and Macintosh 2 Download Center
Acrobat DC Classic 2015.006.30060 Windows and Macintosh 2 Windows
Macintosh
Acrobat Reader DC Classic 2015.006.30060 Windows and Macintosh 2 Windows
Macintosh
Acrobat XI N/A 11.0.12 Windows and Macintosh 2 Windows
Macintosh
Acrobat X N/A 10.1.15 Windows and Macintosh 2 Windows
Macintosh
Reader XI N/A 11.0.12 Windows and Macintosh 2 Windows
Macintosh
Reader X N/A 10.1.15 Windows and Macintosh 2 Windows
Macintosh
Vulnerability Details
These updates resolve a buffer overflow vulnerability that could lead to
code execution (CVE-2015-5093).
These updates resolve heap buffer overflow vulnerabilities that could lead
to code execution (CVE-2015-5096, CVE-2015-5098, CVE-2015-5105).
These updates resolve memory corruption vulnerabilities that could lead to
code execution (CVE-2015-5087, CVE-2015-5094, CVE-2015-5100, CVE-2015-5102,
CVE-2015-5103, CVE-2015-5104, CVE-2015-3095, CVE-2015-5115, CVE-2014-0566).
These updates resolve an information leak vulnerability (CVE-2015-5107).
These updates resolve security bypass vulnerabilities that could lead to
information disclosure (CVE-2015-4449, CVE-2015-4450, CVE-2015-5088,
CVE-2015-5089, CVE-2015-5092, CVE-2014-8450).
These updates resolve a stack overflow vulnerability that could lead to
code execution (CVE-2015-5110).
These updates resolve use-after-free vulnerabilities that could lead to
code execution (CVE-2015-4448, CVE-2015-5095, CVE-2015-5099, CVE-2015-5101,
CVE-2015-5111, CVE-2015-5113, CVE-2015-5114).
These updates resolve validation bypass issues that could be exploited to
perform privilege escalation from low to medium integrity level
(CVE-2015-4446, CVE-2015-5090, CVE-2015-5106).
These updates resolve a validation bypass issue that could be exploited to
cause a denial-of-service condition on the affected system (CVE-2015-5091).
These updates resolve integer overflow vulnerabilities that could lead to
code execution (CVE-2015-5097, CVE-2015-5108, CVE-2015-5109).
These updates resolve various methods to bypass restrictions on JavaScript
API execution (CVE-2015-4435, CVE-2015-4438, CVE-2015-4441, CVE-2015-4445,
CVE-2015-4447, CVE-2015-4451, CVE-2015-4452, CVE-2015-5085, CVE-2015-5086).
These updates resolve null-pointer dereference issues that could lead to a
denial-of-service condition (CVE-2015-4443, CVE-2015-4444).
Acknowledgments
Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect our
customers:
AbdulAziz Hariri and Jasiel Spelman of HP Zero Day Initiative
(CVE-2015-5085, CVE-2015-5086, CVE-2015-5090, CVE-2015-5091)
AbdulAziz Hariri of HP Zero Day Initiative (CVE-2015-4438, CVE-2015-4447,
CVE-2015-4452, CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015-5101,
CVE-2015-5102, CVE-2015-5103, CVE-2015-5104, CVE-2015-5113, CVE-2015-5114,
CVE-2015-5115)
Alex Infhr of Cure53.de (CVE-2015-4449, CVE-2015-4450, CVE-2015-5088,
CVE-2015-5089, CVE-2014-8450)
bilou working with VeriSign iDefense Labs (CVE-2015-4448, CVE-2015-5099)
Brian Gorenc of HP Zero Day Initiative (CVE-2015-5100, CVE-2015-5111)
Security Research Team at MWR Labs (@mwrlabs) (CVE-2015-4451)
James Forshaw of Google Project Zero (CVE-2015-4446)
Jihui Lu of KeenTeam (CVE-2015-5087)
JinCheng Liu of the Alibaba Security Research Team (CVE-2015-5098)
Jun Xie of the Alibaba Security Research Team (CVE-2015-5096,
CVE-2015-5097, CVE-2015-5105)
Keen Team working with HP's Zero Day Initiative (CVE-2015-5108)
kernelsmith working with HP's Zero Day Initiative (CVE-2015-4435,
CVE-2015-4441)
Mateusz Jurczyk of Google Project Zero (CVE-2015-3095)
Matt Molinyawe of HP Zero Day Initiative (CVE-2015-4445)
Mauro Gentile of Minded Security (CVE-2015-5092)
Nicolas Joly working with HP's Zero Day Initiative (CVE-2015-5106,
CVE-2015-5107, CVE-2015-5109, CVE-2015-5110)
Wei Lei and Wu Hongjun of Nanyang Technological University (CVE-2014-0566)
Wu Ha of the Alibaba Security Research Team (CVE-2015-4443, CVE-2015-4444)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVaXCgn6ZAP0PgtI9AQKAGg/+NLWjTlApmqP+xh8a2GHtT30+sI5jZUNN
9E0JLVulfkvL/H4FwvqyFDCV5HmHc20Tkiq4IMFWhJXZacG5p0QnVjr/K2BL8TmE
z0w1C1hUFCagh3OCX5fR8lCXTv7ih4tQ6WS4D1ZWxKg1bK43l1ErZSMQlggnBTwF
zMBguP+lSQEWtbIjRarsS8rnUt6e9jcDOsKmeqDAOUwtF0vXB3JWrm/WcvZss5wz
KJuEM6/cmWWN+PNZnIwHGTERNfi1S8UqhPI9SefW9yGhQ/qPa0kScMkMhcaD931+
2+dnLcigpkQ6UNekK1RykzxkeIj7bqbBS/hvQEjr3JWUDjopuodmeuWVtS81F7eX
Ps/cM4TSBmyW1o5h0sDOC0VCe+Gc8WRvtB3zpB9mrVMz3UkJ3SK17i9debCpPtTU
lsuoVbYoHdi9TTLV5oK2jkI2+kZwoI9u2l+jN1v+7HQrsIsZ75mMEV0kAO1TCawi
edErVMcxb55YlQwuRqh2CyxgVXRjGcecuLhJ0tFscjmy96p+u+MDeivQoJr4dfoX
WqnOGG+l7ByCNLyLzxqD3zZwVogWCH1I1dq1ED3wY6Ky7YOcPgZzjSN9sIRa9bx4
4FZS4JDqgm3hN+zmXB+1CQDM+9nrn0yqec7NJQsuE1Z0Zh+kNndPgvJRmJwHTrKp
Tpl+EwhJghU=
=lmVh
-----END PGP SIGNATURE-----