MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2015-120

DATE(S) ISSUED:

10/13/2015

11/02/2015 - Updated

SUBJECT:
Multiple Vulnerabilities in Adobe Acrobat and Adobe Reader Could Allow for Remote Code Execution (APSB15-24)

ORIGINAL OVERVIEW:

Multiple vulnerabilities in Adobe Acrobat and Adobe Reader could allow for remote code execution. Adobe Acrobat and Reader allow a user to view, create, manipulate, print and manage files in Portable Document Format (PDF). Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or processing resources in a user's computer. Failed exploit attempts will likely cause denial-of-service conditions.

 

November 2 - UPDATED OVERVIEW:

An additional vulnerability has been reported in Acrobat Reader DC which could allow for remote code execution.

 

THREAT INTELLIGENCE

 

There are currently no reports of these vulnerabilities being exploited in the wild.

 

SYSTEM AFFECTED:

 

  • Adobe Acrobat DC version 2015.008.20082 and earlier for Windows and Macintosh

  • Acrobat Reader DC version 2015.008.20082 and earlier for Windows and Macintosh

  • Acrobat DC version 2015.006.30060 and earlier for Windows and Macintosh

  • Adobe Acrobat Reader DC version 2015.006.30060 and earlier for Windows and Macintosh

  • Adobe Acrobat XI version 11.0.12 and earlier Windows and Macintosh

  • Adobe Reader XI version 11.0.12 and earlier for Windows and Macintosh

  • Adobe Acrobat X version 10.1.15 and earlier for Windows and Macintosh

  • Adobe Reader X version 10.1.15 and earlier for Windows and Macintosh

 

RISK:

 

Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: High

 

TECHNICAL SUMMARY:

 

Adobe Acrobat and Reader are prone to multiple vulnerabilities. These vulnerabilities are as follows:

 

Use-after-free vulnerabilities that could lead to code execution (CVE-2015-6689, CVE-2015-6688, CVE-2015-6690, CVE-2015-7615, CVE-2015-7617, CVE-2015-6687, CVE-2015-6684, CVE-2015-6691, CVE-2015-7621, CVE-2015-5586, CVE-2015-6683).

Heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-6696, CVE-2015-6698).

Memory corruption vulnerabilities that could lead to code execution (CVE-2015-6685, CVE-2015-6693, CVE-2015-6694, CVE-2015-6695, CVE-2015-6686, CVE-2015-7622).

Memory leak vulnerabilities (CVE-2015-6699, CVE-2015-6700, CVE-2015-6701, CVE-2015-6702, CVE-2015-6703, CVE-2015-6704, CVE-2015-6697).

Security bypass vulnerabilities that could lead to information disclosure (CVE-2015-5583, CVE-2015-6705, CVE-2015-6706, CVE-2015-7624).

Methods to bypass restrictions on Javascript API execution (CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-7614, CVE-2015-7616, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7618, CVE-2015-7619, CVE-2015-7620, CVE-2015-7623, CVE-2015-6713, CVE-2015-6714, CVE-2015-6715).

 

Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or processing resources in a user's computer. Failed exploit attempts will likely cause denial-of-service conditions.

 

November 2 - UPDATED TECHNICAL SUMMARY:

Acrobat Reader DC is vulnerable to a memory corruption vulnerability that could allow for remote code execution (CVE-2015-7650).

 

RECOMMENDATIONS:

 

We recommend the following actions be taken:

 

  • Install the updates provided by Adobe immediately after appropriate testing.

  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

  • Do not open email attachments from unknown or untrusted sources.

  • Limit user account privileges to those required only.

 

REFERENCES:

 

Adobe:

https://helpx.adobe.com/security/products/reader/apsb15-24.html

 

CVE

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5583

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5586

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6683

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6684

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6685

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6686

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6687

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6688

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6689

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6690

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6691

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6692

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6693

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6694

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6695

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6696

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6697

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6698

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6699

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6700

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6701

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6702

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6703

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6704

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6705

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6706

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6707

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6708

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6709

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6710

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6711

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6712

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6713

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6714

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6715

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6716

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6717

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6718

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6719

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6720

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6721

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6722

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6723

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6724

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6725

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7614

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7615

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7616

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7617

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7618

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7619

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7620

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7621

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7622

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7623

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7624

 

November 2 - UPDATED REFERENCES:

Security Focus:

http://www.securityfocus.com/bid/77404

 

Tipping Point:

http://www.zerodayinitiative.com/advisories/ZDI-15-534/