Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2563.4 Security Updates Available for Adobe Acrobat and Reader 22 December 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adobe Acrobat Adobe Reader DC Publisher: Adobe Operating System: Windows OS X Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-8458 CVE-2015-7829 CVE-2015-7650 CVE-2015-7624 CVE-2015-7623 CVE-2015-7622 CVE-2015-7621 CVE-2015-7620 CVE-2015-7619 CVE-2015-7618 CVE-2015-7617 CVE-2015-7616 CVE-2015-7615 CVE-2015-7614 CVE-2015-6725 CVE-2015-6724 CVE-2015-6723 CVE-2015-6722 CVE-2015-6721 CVE-2015-6720 CVE-2015-6719 CVE-2015-6718 CVE-2015-6717 CVE-2015-6716 CVE-2015-6715 CVE-2015-6714 CVE-2015-6713 CVE-2015-6712 CVE-2015-6711 CVE-2015-6710 CVE-2015-6709 CVE-2015-6708 CVE-2015-6707 CVE-2015-6706 CVE-2015-6705 CVE-2015-6704 CVE-2015-6703 CVE-2015-6702 CVE-2015-6701 CVE-2015-6700 CVE-2015-6699 CVE-2015-6698 CVE-2015-6697 CVE-2015-6696 CVE-2015-6695 CVE-2015-6694 CVE-2015-6693 CVE-2015-6692 CVE-2015-6691 CVE-2015-6690 CVE-2015-6689 CVE-2015-6688 CVE-2015-6687 CVE-2015-6686 CVE-2015-6685 CVE-2015-6684 CVE-2015-6683 CVE-2015-5586 CVE-2015-5583 Original Bulletin: https://helpx.adobe.com/security/products/acrobat/apsb15-24.html Revision History: December 22 2015: Added a reference to CVE-2015-8458, which was fixed in the October 13 release of Acrobat and Reader but accidentally omitted from the bulletins.exce November 3 2015: Added a reference to CVE-2015-7829, which was reported as a vulnerability in Acrobat and Reader but resolved via a security fix in Windows referenced in MS15-090. Also, added a reference to CVE-2015-7650, which was fixed in the October 13 release of Acrobat and Reader but accidentally omitted from the bulletins. October 14 2015: Adobe has replaced the prenotification advisory released on October 8 with details of security updates and vulnerabilities October 9 2015: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Security Updates Available for Adobe Acrobat and Reader Release date: October 13, 2015 Last updated: December 11, 2015 Vulnerability identifier: APSB15-24 Priority: See table below CVE Numbers: CVE-2015-5583, CVE-2015-5586, CVE-2015-6683, CVE-2015-6684, CVE-2015-6685, CVE-2015-6686, CVE-2015-6687, CVE-2015-6688, CVE-2015-6689, CVE-2015-6690, CVE-2015-6691, CVE-2015-6692, CVE-2015-6693, CVE-2015-6694, CVE-2015-6695, CVE-2015-6696, CVE-2015-6697, CVE-2015-6698, CVE-2015-6699, CVE-2015-6700, CVE-2015-6701, CVE-2015-6702, CVE-2015-6703, CVE-2015-6704, CVE-2015-6705, CVE-2015-6706, CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-6713, CVE-2015-6714, CVE-2015-6715, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7614, CVE-2015-7615, CVE-2015-7616, CVE-2015-7617, CVE-2015-7618, CVE-2015-7619, CVE-2015-7620, CVE-2015-7621, CVE-2015-7622, CVE-2015-7623, CVE-2015-7624, CVE-2015-7650, CVE-2015-8458 Platform: Windows and Macintosh Summary Adobe has released security updates for Adobe Acrobat and Reader for Windows and Macintosh. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Affected Versions Product Track Affected Versions Platform Acrobat DC Continuous 2015.008.20082 and earlier versions Windows and Macintosh Acrobat Reader DC Continuous 2015.008.20082 and earlier versions Windows and Macintosh Acrobat DC Classic 2015.006.30060 and earlier versions Windows and Macintosh Acrobat Reader DC Classic 2015.006.30060 and earlier versions Windows and Macintosh Acrobat XI Desktop 11.0.12 and earlier versions Windows and Macintosh Reader XI Desktop 11.0.12 and earlier versions Windows and Macintosh Acrobat X Desktop 10.1.15 and earlier versions Windows and Macintosh Reader X Desktop 10.1.15 and earlier versions Windows and Macintosh For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. For questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC FAQ page. Adobe recommends users update their software installations to the latest versions by following the instructions below. The latest product versions are available to end users via one of the following methods: Users can update their product installations manually by choosing Help > Check for Updates. The products will update automatically, without requiring user intervention, when updates are detected. The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center. For IT administrators (managed environments): Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers. Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on Macintosh, Apple Remote Desktop and SSH. Product Track Updated Versions Platform Priority Rating Availability Acrobat DC Continuous 2015.009.20069 Windows and Macintosh 2 Windows Macintosh Acrobat Reader DC Continuous 2015.009.20069 Windows and Macintosh 2 Download Center Acrobat DC Classic 2015.006.30094 Windows and Macintosh 2 Windows Macintosh Acrobat Reader DC Classic 2015.006.30094 Windows and Macintosh 2 Windows Macintosh Acrobat XI Desktop 11.0.13 Windows and Macintosh 2 Windows Macintosh Reader XI Desktop 11.0.13 Windows and Macintosh 2 Windows Macintosh Acrobat X Desktop 10.1.16 Windows and Macintosh 2 Windows Macintosh Reader X Desktop 10.1.16 Windows and Macintosh 2 Windows Macintosh Vulnerability Details These updates resolve a buffer overflow vulnerability that could lead to information disclosure (CVE-2015-6692). These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-6689, CVE-2015-6688, CVE-2015-6690, CVE-2015-7615, CVE-2015-7617, CVE-2015-6687, CVE-2015-6684, CVE-2015-6691, CVE-2015-7621, CVE-2015-5586, CVE-2015-6683). These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-6696, CVE-2015-6698, CVE-2015-8458). These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-6685, CVE-2015-6693, CVE-2015-6694, CVE-2015-6695, CVE-2015-6686, CVE-2015-7622, CVE-2015-7650). These updates resolve memory leak vulnerabilities (CVE-2015-6699, CVE-2015-6700, CVE-2015-6701, CVE-2015-6702, CVE-2015-6703, CVE-2015-6704, CVE-2015-6697). These updates resolve security bypass vulnerabilities that could lead to information disclosure (CVE-2015-5583, CVE-2015-6705, CVE-2015-6706, CVE-2015-7624). These updates resolve various methods to bypass restrictions on Javascript API execution (CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-7614, CVE-2015-7616, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7618, CVE-2015-7619, CVE-2015-7620, CVE-2015-7623, CVE-2015-6713, CVE-2015-6714, CVE-2015-6715). Acknowledgments Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: AbdulAziz Hariri of HP Zero Day Initiative (CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-7614, CVE-2015-7616, CVE-2015-6689, CVE-2015-6688, CVE-2015-6690, CVE-2015-7615, CVE-2015-7617, CVE-2015-6697, CVE-2015-6685, CVE-2015-6693, CVE-2015-6694, CVE-2015-6695, CVE-2015-6707) AbdulAziz Hariri and Jasiel Spelman of HP Zero Day Initiative (CVE-2015-5583, CVE-2015-6699, CVE-2015-6700, CVE-2015-6701, CVE-2015-6702, CVE-2015-6703, CVE-2015-6704) Alex Infhr of Cure53.de (CVE-2015-6705, CVE-2015-6706) Bill Finlayson of Vectra Networks (CVE-2015-6687) bilou working with VeriSign iDefense Labs (CVE-2015-6684) Brian Gorenc of HP Zero Day Initiative (CVE-2015-6686) Francis Provencher from COSIG (CVE-2015-7622) Jaanus Kp of Clarified Security working with HP's Zero Day Initiative (CVE-2015-6696, CVE-2015-6698) Jack Tang of TrendMicro (CVE-2015-6692) James Loureiro of MWR Labs (CVE-2015-6691) Joel Brewer (CVE-2015-7624) kdot working with HP's's Zero Day Initiative (CVE-2015-7621, CVE-2015-7650) Matt Molinyawe and Jasiel Spelman of HP's Zero Day Initiative (CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7618, CVE-2015-7619, CVE-2015-7620) Matt Molinyawe of HP Zero Day Initiative (CVE-2015-7623) WanderingGlitch of HP's Zero Day Initiative (CVE-2015-6713, CVE-2015-6714, CVE-2015-6715) Wei Lei and Wu Hongjun of Nanyang Technological University (CVE-2015-5586) Wei Lei, as well as Wu Hongjun of Nanyang Technological University working with Verisign iDefense Labs (CVE-2015-6683) AbdulAziz Hariri and Jasiel Spelman of HP Zero Day Initiative for defense-in-depth contributions (CVE-2015-7829) Fritz Sands working with HP's Zero Day Initiative (CVE-2015-8458) Revisions October 29: Added a reference to CVE-2015-7829, which was reported as a vulnerability in Acrobat and Reader but resolved via a security fix in Windows referenced in MS15-090. Also, added a reference to CVE-2015-7650, which was fixed in the October 13 release of Acrobat and Reader but accidentally omitted from the bulletins. December 11: Added a reference to CVE-2015-8458, which was fixed in the October 13 release of Acrobat and Reader but accidentally omitted from the bulletins. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVnjknH6ZAP0PgtI9AQKbBhAAp5fsq7Cwf3+vHYo4ONA+AfJUtrqHen27 oIIpJZ25TH8Uoyro+wKDxQlQYC2KEOuDkRe4AzVDeknDoh/DkGZPszj3p4zhNvwg XrzHWNEFxsqHeEklBhUqWLL7d2tDI/K3Dm8YWfksKf0QqhVJWWj/owiwxDBbOAl2 bZtAgYumPxLbpxAjzO3+dN1/uo/LG552ZM5690QRz+ZQjVodnZfAXm+/wel3gZ6v tlMkfFNwOjWQN9aqL20+Js7q0SfUr2LZbR1rGdelvh68xFbLNp5dAwa62TJGSU9i hef6QaiEHqjgomkaIzizlVmCsSx48+ry1gRSxoqSvqYfKjcmDSlzHyAjDKWr2rJf jCdZRQbUj4DzZLFj82vdnq5D0shV1Mtct9gLeaUOBRwh8VIunzifrz81LVY4JKV2 1IprnRor5I9GlAHAAzbgfE56kBkXYGO/D3LG10DZ1S1rmUFUk3QJtf9CyMFAPokA 1hUlpBcryzjWWm7PcW2+UBMlO3TZTq2/UY5KlzEvjQc7Ky/cVsYlPJWt1+fvbtSA +Ztqi9rE7XGxJNo8rAXl0taTnG4mgHM1jCFHqbwPWXuk1w1p7NfdvB/gpJmB9g8k QZkjQFZSStohTtRFtlZfq/z1wjI1wIL7oHA7KDnpnQbyedSwiZGJrgPRlKDAd8Dr MNo2RBCDTws= =5NqO -----END PGP SIGNATURE-----