You are here

U-146: Adobe Reader/Acrobat Multiple Vulnerabilities

April 12, 2012 - 8:30am

Addthis

PROBLEM:

Multiple vulnerabilities have been reported in Adobe Reader and Adobe Acrobat.

PLATFORM:

Adobe Acrobat 9.x
Adobe Acrobat X 10.x
Adobe Reader 9.x
Adobe Reader X 10.x

ABSTRACT:

Vulnerabilities can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, gain knowledge of potentially sensitive information, and compromise a user's system.

reference LINKS:

Vendor Advisory
Secunia Advisory SA48733
CVE-2012-0724

IMPACT ASSESSMENT:

High

Discussion:

1) An integer overflow error when handling True Type Font (TTF) can be exploited to corrupt memory. CVE-2012-0774
2) An unspecified error when handling JavaScript can be exploited to corrupt memory. CVE-2012-0775
3) The application loads executables (e.g. msiexec.exe) in an insecure manner. This can be exploited to run an arbitrary program by tricking a user into e.g. opening a file located on a remote WebDAV or SMB share and repairing the installation.
4) An unspecified error within the JavaScript API can be exploited to corrupt memory.

NOTE: This vulnerability affects the Macintosh and Linux versions only.
5) The application bundles a vulnerable version of Adobe Flash Player.

Impact:

Security Bypass
Cross Site Scripting
Exposure of sensitive information
System access

Solution:

The vendor has issued a fix. The patch is available at Adobe downloads

 

Addthis