SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Adobe Acrobat/Reader Vendors:   Adobe Systems Incorporated
Adobe Acrobat/Reader Multiple Bugs Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1026044
SecurityTracker URL:  http://securitytracker.com/id/1026044
CVE Reference:   CVE-2011-1353, CVE-2011-2431, CVE-2011-2432, CVE-2011-2433, CVE-2011-2434, CVE-2011-2435, CVE-2011-2436, CVE-2011-2437, CVE-2011-2438, CVE-2011-2439, CVE-2011-2440, CVE-2011-2441, CVE-2011-2442   (Links to External Site)
Date:  Sep 13 2011
Impact:   Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.x prior to 8.3.1, 9.x prior to 9.4.6, and 10.x prior to 10.1.1
Description:   Multiple vulnerabilities were reported in Adobe Acrobat/Reader. A remote user can cause arbitrary code to be executed on the target user's system. A local user can gain elevated privileges on the target system.

A remote user can create a specially crafted file that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.

A security bypass vulnerability can trigger code execution [CVE-2011-2431].

A buffer overflow vulnerability in the U3D TIFF Resource can cause code execution [CVE-2011-2432].

A heap overflow can cause code execution [CVE-2011-2433, CVE-2011-2434, CVE-2011-2436, CVE-2011-2437].

A buffer overflow can cause code execution [CVE-2011-2435].

Several stack overflows can cause code execution [CVE-2011-2438].

A memory leak can cause code execution [CVE-2011-2439].

A use-after-free memory error can cause code execution [CVE-2011-2440].

Two stack overflows in the 'CoolType.dll' library can cause code execution [CVE-2011-2441].

A logic error can cause code execution [CVE-2011-2442].

A local user on Windows-based systems can can elevated privileges [CVE-2011-1353]. Adobe Reader 10.x is affected.

Paul Sabanal and Mark Yason from IBM X-Force Advanced Research, Zhenhua Liu of Fortinet's Fortiguard Labs, Vladimir Vorontsov of ONsec, binaryproof (via Tipping Point's Zero Day Initiative), James Quirk of Los Alamos, an anonymous reporter (via iDefense Labs), and Tavis Ormandy of the Google Security Team reported these vulnerabilities.

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.

A local user can gain elevated privileges on the target system.

Solution:   The vendor has issued a fix (8.3.1, 9.4.6, 10.1.1).

Adobe Reader 9.4.6 for UNIX is planned for release on November 7, 2011.

The vendor's advisory is available at:

http://www.adobe.com/support/security/bulletins/apsb11-24.html

Vendor URL:  www.adobe.com/support/security/bulletins/apsb11-24.html (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:  Linux (Any), UNIX (macOS/OS X), UNIX (Solaris - SunOS), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 8 2011 (Red Hat Issues Fix) Adobe Acrobat/Reader Multiple Bugs Let Remote Users Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 4, 5, and 6.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC