Executive Summary
Summary | |
---|---|
Title | Adobe Reader and Acrobat Vulnerabilities |
Informations | |||
---|---|---|---|
Name | TA10-013A | First vendor Publication | 2010-01-13 |
Vendor | US-CERT | Last vendor Modification | 2010-01-13 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Adobe has released Security bulletin APSB10-02, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. I. Description Adobe Security Advisory APSB10-02 describes a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Reader 9.2 and earlier 9.x versions and An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in is available for multiple web browsers and operating systems, which can automatically open PDF documents hosted on a website. Some of these vulnerabilities are being actively exploited. II. Impact These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF document. III. Solution Update Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB10-02 and update vulnerable versions of Adobe Reader and Acrobat. Disable JavaScript in Adobe Reader and Acrobat Disabling JavaScript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript; un-check Enable Acrobat JavaScript). Prevent Internet Explorer from automatically opening PDF documents The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] Disable the display of PDF documents in the web browser Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied it may also mitigate future vulnerabilities. To prevent PDF documents from automatically being opened in a web browser, do the following: 1. Open Adobe Acrobat Reader. Do not access PDF documents from untrusted sources Do not open unfamiliar or unexpected PDF documents, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010. |
Original Source
Url : http://www.us-cert.gov/cas/techalerts/TA10-013A.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
14 % | CWE-787 | Out-of-bounds Write (CWE/SANS Top 25) |
14 % | CWE-416 | Use After Free |
14 % | CWE-399 | Resource Management Errors |
14 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
14 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
14 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
14 % | CWE-16 | Configuration |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:21374 | |||
Oval ID: | oval:org.mitre.oval:def:21374 | ||
Title: | RHSA-2010:0037: acroread security and bug fix update (Critical) | ||
Description: | Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0037-01 CVE-2009-3953 CVE-2009-3954 CVE-2009-3955 CVE-2009-3956 CVE-2009-3959 CVE-2009-4324 | Version: | 81 |
Platform(s): | Red Hat Enterprise Linux 5 | Product(s): | acroread |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22917 | |||
Oval ID: | oval:org.mitre.oval:def:22917 | ||
Title: | ELSA-2010:0037: acroread security and bug fix update (Critical) | ||
Description: | Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0037-01 CVE-2009-3953 CVE-2009-3954 CVE-2009-3955 CVE-2009-3956 CVE-2009-3959 CVE-2009-4324 | Version: | 29 |
Platform(s): | Oracle Linux 5 | Product(s): | acroread |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:6795 | |||
Oval ID: | oval:org.mitre.oval:def:6795 | ||
Title: | Adobe Reader and Acrobat Unspecified Code Execution Vulnerability | ||
Description: | Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-4324 | Version: | 16 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows 7 | Product(s): | Adobe Reader Adobe Acrobat |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:7975 | |||
Oval ID: | oval:org.mitre.oval:def:7975 | ||
Title: | Adobe Reader and Acrobat Null Pointer Dereference Denial of Service Vulnerability | ||
Description: | Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, might allow attackers to cause a denial of service (NULL pointer dereference) via unspecified vectors. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-3957 | Version: | 16 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows 7 | Product(s): | Adobe Reader Adobe Acrobat |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:8242 | |||
Oval ID: | oval:org.mitre.oval:def:8242 | ||
Title: | Adobe Reader and Acrobat U3D Remote Code Execution Vulnerability | ||
Description: | The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4 allows remote attackers to execute arbitrary code via malformed U3D data in a PDF document, related to a CLODProgressiveMeshDeclaration "array boundary issue," a different vulnerability than CVE-2009-2994. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-3953 | Version: | 16 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows 7 | Product(s): | Adobe Reader Adobe Acrobat |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:8255 | |||
Oval ID: | oval:org.mitre.oval:def:8255 | ||
Title: | Adobe Reader and Acrobat JpxDecode Memory Corruption Vulnerability | ||
Description: | Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted JPC_MS_RGN marker in the Jp2c stream of a JpxDecode encoded data stream, which triggers an integer sign extension that bypasses a sanity check, leading to memory corruption. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-3955 | Version: | 16 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows 7 | Product(s): | Adobe Reader Adobe Acrobat |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:8327 | |||
Oval ID: | oval:org.mitre.oval:def:8327 | ||
Title: | Adobe Reader and Acrobat Remote Security Bypass Vulnerability | ||
Description: | The default configuration of Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, does not enable the Enhanced Security feature, which has unspecified impact and attack vectors, related to a "script injection vulnerability," as demonstrated by Acrobat Forms Data Format (FDF) behavior that allows cross-site scripting (XSS) by user-assisted remote attackers. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-3956 | Version: | 16 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows 7 | Product(s): | Adobe Reader Adobe Acrobat |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:8455 | |||
Oval ID: | oval:org.mitre.oval:def:8455 | ||
Title: | Adobe Reader and Acrobat Download Manager Remote Code Execution Vulnerability | ||
Description: | Multiple stack-based buffer overflows in the NOS Microsystems getPlus Helper ActiveX control before 1.6.2.49 in gp.ocx in the Download Manager in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, might allow remote attackers to execute arbitrary code via unspecified initialization parameters. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-3958 | Version: | 16 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows 7 | Product(s): | Adobe Reader Adobe Acrobat |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:8528 | |||
Oval ID: | oval:org.mitre.oval:def:8528 | ||
Title: | Adobe Reader and Acrobat DLL Loading in 3D Remote Code Execution Vulnerability | ||
Description: | The 3D implementation in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, might allow attackers to execute arbitrary code via unspecified vectors, related to a "DLL-loading vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-3954 | Version: | 16 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows 7 | Product(s): | Adobe Reader Adobe Acrobat |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:8539 | |||
Oval ID: | oval:org.mitre.oval:def:8539 | ||
Title: | Adobe Reader and Acrobat U3D Support Remote Code Execution Vulnerability | ||
Description: | Integer overflow in the U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a malformed PDF document. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-3959 | Version: | 16 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows 7 | Product(s): | Adobe Reader Adobe Acrobat |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
SAINT Exploits
Description | Link |
---|---|
Adobe Reader media.newPlayer Use-After-Free Code Execution | More info here |
ExploitDB Exploits
id | Description |
---|---|
2009-12-23 | Adobe Reader and Acrobat (CVE-2009-4324) Exploit |
OpenVAS Exploits
Date | Description |
---|---|
2011-03-09 | Name : Gentoo Security Advisory GLSA 201009-05 (acroread) File : nvt/glsa_201009_05.nasl |
2010-01-29 | Name : SuSE Update for acroread SUSE-SA:2010:008 File : nvt/gb_suse_2010_008.nasl |
2010-01-16 | Name : Adobe Reader/Acrobat Multiple Vulnerabilities - Jan10 (Win) File : nvt/gb_adobe_prdts_mult_vuln_jan10_win.nasl |
2010-01-16 | Name : Adobe Reader Multiple Vulnerabilities -jan10 (Linux) File : nvt/gb_adobe_reader_mult_vuln_jan10_lin.nasl |
2009-12-21 | Name : Adobe Reader Multimeda Doc.media.newPlayer Code Execution Vulnerability (Linux) File : nvt/gb_adobe_prdts_media_obj_remote_code_exec_vuln_dec09_lin.nasl |
2009-12-21 | Name : Adobe Reader/Acrobat Multimedia Doc.media.newPlayer Code Execution Vulnerabil... File : nvt/gb_adobe_prdts_media_obj_remote_code_exec_vuln_dec09_win.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
61695 | Adobe Reader / Acrobat U3D Implementation Unspecified Overflow |
61694 | Adobe Reader / Acrobat Unspecified NULL Dereference DoS |
61693 | Adobe Reader / Acrobat Enhanced Security Feature Default Configuration Modifi... |
61692 | Adobe Reader / Acrobat PDF JpxDecode Encoded Jp2c Stream Handling Memory Corr... |
61691 | Adobe Reader / Acrobat 3D Implementation DLL-loading Unspecified Arbitrary Co... |
61690 | Adobe Reader / Acrobat U3D Implementation Array Boundary Arbitrary Code Execu... |
61688 | Adobe getPlus DLM gp.ocx ActiveX Multiple Overflows |
60980 | Adobe Reader / Acrobat Doc.media.newPlayer Use-After-Free Arbitrary Code Exec... Acrobat and Reader contain a flaw that may allow an attacker to execute arbitrary code. The issue is triggered by a use-after-free condition in Doc.media.newPlayer when parsing a specially crafted PDF file. |
Snort® IPS/IDS
Date | Description |
---|---|
2014-12-02 | Adobe Acrobat Reader JpxDecode invalid crgn memory corruption attempt RuleID : 32358 - Revision : 3 - Type : FILE-PDF |
2014-11-16 | Adobe Acrobat Reader U3D CLODMeshDeceleration code execution attempt RuleID : 31555 - Revision : 4 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28743 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28742 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28741 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28740 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28739 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28738 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28737 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28736 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28735 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28734 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28733 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28732 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28731 - Revision : 6 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28730 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28729 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28728 - Revision : 6 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader compressed media.newPlayer memory corruption attempt RuleID : 28454 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 23506 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader compressed media.newPlayer memory corruption attempt RuleID : 23505 - Revision : 6 - Type : FILE-PDF |
2014-01-10 | Phoenix exploit kit post-compromise behavior RuleID : 21860 - Revision : 5 - Type : MALWARE-CNC |
2014-01-10 | Phoenix exploit kit landing page RuleID : 21640 - Revision : 6 - Type : EXPLOIT-KIT |
2014-01-10 | Adobe Acrobat Reader U3D CLODMeshDeceleration code execution attempt RuleID : 20429 - Revision : 12 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader script injection vulnerability RuleID : 19118 - Revision : 15 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader malformed U3D integer overflow RuleID : 19117 - Revision : 15 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader JpxDecode invalid crgn memory corruption attempt RuleID : 18801 - Revision : 12 - Type : FILE-PDF |
2014-01-10 | NOS Microsystems Adobe atl_getcom ActiveX clsid unicode access RuleID : 16372 - Revision : 4 - Type : WEB-ACTIVEX |
2014-01-10 | NOS Microsystems Adobe atl_getcom ActiveX clsid access RuleID : 16371 - Revision : 12 - Type : BROWSER-PLUGINS |
2014-01-10 | Adobe Reader JP2C Region Atom CompNum memory corruption attempt RuleID : 16370 - Revision : 7 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader compressed media.newPlayer memory corruption attempt RuleID : 16334 - Revision : 18 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 16333 - Revision : 18 - Type : FILE-PDF |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0037.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0038.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2010-0060.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_acroread-6802.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_acroread-6803.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_acroread_ja-6804.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_acroread_ja-6805.nasl - Type : ACT_GATHER_INFO |
2010-09-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201009-05.nasl - Type : ACT_GATHER_INFO |
2010-02-02 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_acroread_ja-100128.nasl - Type : ACT_GATHER_INFO |
2010-01-25 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_acroread-100122.nasl - Type : ACT_GATHER_INFO |
2010-01-25 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_acroread-100122.nasl - Type : ACT_GATHER_INFO |
2010-01-25 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_acroread-100122.nasl - Type : ACT_GATHER_INFO |
2010-01-25 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_acroread-100122.nasl - Type : ACT_GATHER_INFO |
2010-01-13 | Name : The version of Adobe Acrobat on the remote Windows host is affected by multip... File : adobe_acrobat_apsb10-02.nasl - Type : ACT_GATHER_INFO |
2010-01-13 | Name : The PDF file viewer on the remote Windows host is affected by multiple vulner... File : adobe_reader_apsb10-02.nasl - Type : ACT_GATHER_INFO |