Operating System:

[Win][OSX]

Published:

22 December 2015

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2015.2563.4
          Security Updates Available for Adobe Acrobat and Reader
                             22 December 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Acrobat
                   Adobe Reader DC
Publisher:         Adobe
Operating System:  Windows
                   OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-8458 CVE-2015-7829 CVE-2015-7650
                   CVE-2015-7624 CVE-2015-7623 CVE-2015-7622
                   CVE-2015-7621 CVE-2015-7620 CVE-2015-7619
                   CVE-2015-7618 CVE-2015-7617 CVE-2015-7616
                   CVE-2015-7615 CVE-2015-7614 CVE-2015-6725
                   CVE-2015-6724 CVE-2015-6723 CVE-2015-6722
                   CVE-2015-6721 CVE-2015-6720 CVE-2015-6719
                   CVE-2015-6718 CVE-2015-6717 CVE-2015-6716
                   CVE-2015-6715 CVE-2015-6714 CVE-2015-6713
                   CVE-2015-6712 CVE-2015-6711 CVE-2015-6710
                   CVE-2015-6709 CVE-2015-6708 CVE-2015-6707
                   CVE-2015-6706 CVE-2015-6705 CVE-2015-6704
                   CVE-2015-6703 CVE-2015-6702 CVE-2015-6701
                   CVE-2015-6700 CVE-2015-6699 CVE-2015-6698
                   CVE-2015-6697 CVE-2015-6696 CVE-2015-6695
                   CVE-2015-6694 CVE-2015-6693 CVE-2015-6692
                   CVE-2015-6691 CVE-2015-6690 CVE-2015-6689
                   CVE-2015-6688 CVE-2015-6687 CVE-2015-6686
                   CVE-2015-6685 CVE-2015-6684 CVE-2015-6683
                   CVE-2015-5586 CVE-2015-5583 

Original Bulletin: 
   https://helpx.adobe.com/security/products/acrobat/apsb15-24.html

Revision History:  December 22 2015: Added a reference to CVE-2015-8458, which was fixed in the October 13 release of Acrobat and Reader but accidentally omitted from the bulletins.exce
                   November  3 2015: Added a reference to CVE-2015-7829, which was reported as a vulnerability in Acrobat and Reader but resolved via a security fix in Windows referenced in MS15-090.  Also, added a reference to CVE-2015-7650, which was fixed in the October 13 release of Acrobat and Reader but accidentally omitted from the bulletins. 
                   October  14 2015: Adobe has replaced the prenotification advisory released on October 8 with details of security updates and vulnerabilities
                   October   9 2015: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Updates Available for Adobe Acrobat and Reader

Release date: October 13, 2015

Last updated: December 11, 2015

Vulnerability identifier: APSB15-24

Priority: See table below

CVE Numbers: CVE-2015-5583, CVE-2015-5586, CVE-2015-6683, CVE-2015-6684, 
CVE-2015-6685, CVE-2015-6686, CVE-2015-6687, CVE-2015-6688, CVE-2015-6689, 
CVE-2015-6690, CVE-2015-6691, CVE-2015-6692, CVE-2015-6693, CVE-2015-6694, 
CVE-2015-6695, CVE-2015-6696, CVE-2015-6697, CVE-2015-6698, CVE-2015-6699, 
CVE-2015-6700, CVE-2015-6701, CVE-2015-6702, CVE-2015-6703, CVE-2015-6704, 
CVE-2015-6705, CVE-2015-6706, CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, 
CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-6713, CVE-2015-6714, 
CVE-2015-6715, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, 
CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, 
CVE-2015-6725, CVE-2015-7614, CVE-2015-7615, CVE-2015-7616, CVE-2015-7617, 
CVE-2015-7618, CVE-2015-7619, CVE-2015-7620, CVE-2015-7621, CVE-2015-7622, 
CVE-2015-7623, CVE-2015-7624, CVE-2015-7650, CVE-2015-8458

Platform: Windows and Macintosh Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows 
and Macintosh. These updates address critical vulnerabilities that could 
potentially allow an attacker to take control of the affected system.

Affected Versions

Product 		Track 		Affected Versions 			Platform

Acrobat DC 		Continuous 	2015.008.20082 and earlier versions 	Windows and Macintosh

Acrobat Reader DC 	Continuous 	2015.008.20082 and earlier versions 	Windows and Macintosh

Acrobat DC 		Classic 	2015.006.30060 and earlier versions 	Windows and Macintosh

Acrobat Reader DC 	Classic 	2015.006.30060 and earlier versions 	Windows and Macintosh

Acrobat XI 		Desktop 	11.0.12 and earlier versions 		Windows and Macintosh

Reader XI 		Desktop 	11.0.12 and earlier versions 		Windows and Macintosh

Acrobat X 		Desktop 	10.1.15 and earlier versions 		Windows and Macintosh

Reader X 		Desktop 	10.1.15 and earlier versions 		Windows and Macintosh

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. For
questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC FAQ
page.

Adobe recommends users update their software installations to the latest 
versions by following the instructions below.

The latest product versions are available to end users via one of the 
following methods:

Users can update their product installations manually by choosing Help > Check
for Updates.

The products will update automatically, without requiring user intervention, 
when updates are detected.

The full Acrobat Reader installer can be downloaded from the Acrobat Reader 
Download Center.

For IT administrators (managed environments):

Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or 
refer to the specific release note version for links to installers.

Install updates via your preferred methodology, such as AIP-GPO, bootstrapper,
SCUP/SCCM (Windows), or on Macintosh, Apple Remote Desktop and SSH.

Product 		Track 		Updated Versions 	Platform 		Priority Rating 	Availability 

Acrobat DC 		Continuous 	2015.009.20069	 	Windows and Macintosh 	2 			Windows Macintosh

Acrobat Reader DC 	Continuous 	2015.009.20069 		Windows and Macintosh 	2 			Download Center
	
Acrobat DC 		Classic 	2015.006.30094		Windows and Macintosh	2 			Windows Macintosh

Acrobat Reader DC 	Classic 	2015.006.30094 		Windows and Macintosh 	2 			Windows Macintosh

Acrobat XI 		Desktop 	11.0.13 		Windows and Macintosh 	2 			Windows Macintosh

Reader XI 		Desktop 	11.0.13 		Windows and Macintosh 	2 			Windows Macintosh

Acrobat X 		Desktop 	10.1.16 		Windows and Macintosh 	2 			Windows Macintosh

Reader X 		Desktop 	10.1.16 		Windows and Macintosh 	2 			Windows Macintosh

Vulnerability Details

These updates resolve a buffer overflow vulnerability that could lead to 
information disclosure (CVE-2015-6692).

These updates resolve use-after-free vulnerabilities that could lead to code 
execution (CVE-2015-6689, CVE-2015-6688, CVE-2015-6690, CVE-2015-7615, 
CVE-2015-7617, CVE-2015-6687, CVE-2015-6684, CVE-2015-6691, CVE-2015-7621, 
CVE-2015-5586, CVE-2015-6683).

These updates resolve heap buffer overflow vulnerabilities that could lead to
code execution (CVE-2015-6696, CVE-2015-6698, CVE-2015-8458).

These updates resolve memory corruption vulnerabilities that could lead to 
code execution (CVE-2015-6685, CVE-2015-6693, CVE-2015-6694, CVE-2015-6695, 
CVE-2015-6686, CVE-2015-7622, CVE-2015-7650).

These updates resolve memory leak vulnerabilities (CVE-2015-6699, 
CVE-2015-6700, CVE-2015-6701, CVE-2015-6702, CVE-2015-6703, CVE-2015-6704, 
CVE-2015-6697).

These updates resolve security bypass vulnerabilities that could lead to 
information disclosure (CVE-2015-5583, CVE-2015-6705, CVE-2015-6706, 
CVE-2015-7624).

These updates resolve various methods to bypass restrictions on Javascript API
execution (CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, 
CVE-2015-6711, CVE-2015-6712, CVE-2015-7614, CVE-2015-7616, CVE-2015-6716, 
CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, 
CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7618, 
CVE-2015-7619, CVE-2015-7620, CVE-2015-7623, CVE-2015-6713, CVE-2015-6714, 
CVE-2015-6715).

Acknowledgments

Adobe would like to thank the following individuals and organizations for 
reporting the relevant issues and for working with Adobe to help protect our 
customers:

AbdulAziz Hariri of HP Zero Day Initiative (CVE-2015-6708, CVE-2015-6709, 
CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-7614, CVE-2015-7616, 
CVE-2015-6689, CVE-2015-6688, CVE-2015-6690, CVE-2015-7615, CVE-2015-7617, 
CVE-2015-6697, CVE-2015-6685, CVE-2015-6693, CVE-2015-6694, CVE-2015-6695, 
CVE-2015-6707)

AbdulAziz Hariri and Jasiel Spelman of HP Zero Day Initiative (CVE-2015-5583,
CVE-2015-6699, CVE-2015-6700, CVE-2015-6701, CVE-2015-6702, CVE-2015-6703, 
CVE-2015-6704)

Alex Infhr of Cure53.de (CVE-2015-6705, CVE-2015-6706)

Bill Finlayson of Vectra Networks (CVE-2015-6687)

bilou working with VeriSign iDefense Labs (CVE-2015-6684)

Brian Gorenc of HP Zero Day Initiative (CVE-2015-6686)

Francis Provencher from COSIG (CVE-2015-7622)

Jaanus Kp of Clarified Security working with HP's Zero Day Initiative 
(CVE-2015-6696, CVE-2015-6698)

Jack Tang of TrendMicro (CVE-2015-6692)

James Loureiro of MWR Labs (CVE-2015-6691)

Joel Brewer (CVE-2015-7624)

kdot working with HP's's Zero Day Initiative (CVE-2015-7621, CVE-2015-7650)

Matt Molinyawe and Jasiel Spelman of HP's Zero Day Initiative (CVE-2015-6716,
CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, 
CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7618, 
CVE-2015-7619, CVE-2015-7620)

Matt Molinyawe of HP Zero Day Initiative (CVE-2015-7623)

WanderingGlitch of HP's Zero Day Initiative (CVE-2015-6713, CVE-2015-6714, 
CVE-2015-6715)

Wei Lei and Wu Hongjun of Nanyang Technological University (CVE-2015-5586)

Wei Lei, as well as Wu Hongjun of Nanyang Technological University working 
with Verisign iDefense Labs (CVE-2015-6683)

AbdulAziz Hariri and Jasiel Spelman of HP Zero Day Initiative for 
defense-in-depth contributions (CVE-2015-7829)

Fritz Sands working with HP's Zero Day Initiative (CVE-2015-8458)

Revisions

October 29: Added a reference to CVE-2015-7829, which was reported as a 
vulnerability in Acrobat and Reader but resolved via a security fix in Windows
referenced in MS15-090. Also, added a reference to CVE-2015-7650, which was 
fixed in the October 13 release of Acrobat and Reader but accidentally omitted
from the bulletins.

December 11: Added a reference to CVE-2015-8458, which was fixed in the 
October 13 release of Acrobat and Reader but accidentally omitted from the 
bulletins.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVnjknH6ZAP0PgtI9AQKbBhAAp5fsq7Cwf3+vHYo4ONA+AfJUtrqHen27
oIIpJZ25TH8Uoyro+wKDxQlQYC2KEOuDkRe4AzVDeknDoh/DkGZPszj3p4zhNvwg
XrzHWNEFxsqHeEklBhUqWLL7d2tDI/K3Dm8YWfksKf0QqhVJWWj/owiwxDBbOAl2
bZtAgYumPxLbpxAjzO3+dN1/uo/LG552ZM5690QRz+ZQjVodnZfAXm+/wel3gZ6v
tlMkfFNwOjWQN9aqL20+Js7q0SfUr2LZbR1rGdelvh68xFbLNp5dAwa62TJGSU9i
hef6QaiEHqjgomkaIzizlVmCsSx48+ry1gRSxoqSvqYfKjcmDSlzHyAjDKWr2rJf
jCdZRQbUj4DzZLFj82vdnq5D0shV1Mtct9gLeaUOBRwh8VIunzifrz81LVY4JKV2
1IprnRor5I9GlAHAAzbgfE56kBkXYGO/D3LG10DZ1S1rmUFUk3QJtf9CyMFAPokA
1hUlpBcryzjWWm7PcW2+UBMlO3TZTq2/UY5KlzEvjQc7Ky/cVsYlPJWt1+fvbtSA
+Ztqi9rE7XGxJNo8rAXl0taTnG4mgHM1jCFHqbwPWXuk1w1p7NfdvB/gpJmB9g8k
QZkjQFZSStohTtRFtlZfq/z1wjI1wIL7oHA7KDnpnQbyedSwiZGJrgPRlKDAd8Dr
MNo2RBCDTws=
=5NqO
-----END PGP SIGNATURE-----