MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-071

DATE(S) ISSUED:
5/10/2016

SUBJECT:
Multiple Vulnerabilities in Adobe Acrobat and Adobe Reader Could Allow for Remote Code Execution (APSB16-14)

OVERVIEW:

Multiple vulnerabilities in Adobe Acrobat and Adobe Reader could allow for remote code execution. Adobe Acrobat and Reader allow a user to view, create, manipulate, print and manage files in Portable Document Format (PDF). Successful exploitation could potentially allow an attacker to take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights.

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being exploited in the wild.


SYSTEMS AFFECTED:

  • Adobe Acrobat DC version 15.010.20060 and earlier for Windows and Macintosh
  • Acrobat Reader DC version 15.010.20060 and earlier for Windows and Macintosh

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium
Businesses:
  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low


TECHNICAL SUMMARY

Adobe Acrobat and Reader are prone to multiple vulnerabilities, the most severe of which could allow for remote code execution. These vulnerabilities are as follows:

 

  • Multiple use-after-free vulnerabilities which could lead to remote code execution (CVE-2016-1045, CVE-2016-1046, CVE-2016-1047, CVE-2016-1048, CVE-2016-1049, CVE-2016-1050, CVE-2016-1051, CVE-2016-1052, CVE-2016-1053, CVE-2016-1054, CVE-2016-1055, CVE-2016-1056, CVE-2016-1057, CVE-2016-1058, CVE-2016-1059, CVE-2016-1060, CVE-2016-1061, CVE-2016-1065, CVE-2016-1066, CVE-2016-1067, CVE-2016-1068, CVE-2016-1069, CVE-2016-1070, CVE-2016-1075, CVE-2016-1094, CVE-2016-1121, CVE-2016-1122, CVE-2016-4102, CVE-2016-4107)
  • Heap based buffer overflow vulnerabilities which could lead to remote code execution (CVE-2016-4091, CVE-2016-4092)
  • Multiple memory corruption vulnerabilities which could lead to remote code execution (CVE-2016-1037, CVE-2016-1063, CVE-2016-1064, CVE-2016-1071, CVE-2016-1072, CVE-2016-1073, CVE-2016-1074, CVE-2016-1076, CVE-2016-1077, CVE-2016-1078, CVE-2016-1080, CVE-2016-1081, CVE-2016-1082, CVE-2016-1083, CVE-2016-1084, CVE-2016-1085, CVE-2016-1086, CVE-2016-1088, CVE-2016-1093, CVE-2016-1095, CVE-2016-1116, CVE-2016-1118, CVE-2016-1119, CVE-2016-1120, CVE-2016-1123, CVE-2016-1124, CVE-2016-1125, CVE-2016-1126, CVE-2016-1127, CVE-2016-1128, CVE-2016-1129, CVE-2016-1130, CVE-2016-4088, CVE-2016-4089, CVE-2016-4090, CVE-2016-4093, CVE-2016-4094, CVE-2016-4096, CVE-2016-4097, CVE-2016-4098, CVE-2016-4099, CVE-2016-4100, CVE-2016-4101, CVE-2016-4103, CVE-2016-4104, CVE-2016-4105)
  • An integer overflow vulnerability which could lead to remote code execution. (CVE-2016-1043)
  • Memory Leak Vulnerabilities (CVE-2016-1079, CVE-2016-1092)
  • Information Disclosure Vulnerability (CVE-2016-1112)
  • Multiple vulnerabilities that allow various methods to bypass restrictions on JavaScript APE execution. (CVE-2016-1038, CVE-2016-1039, CVE-2016-1040, CVE-2016-1041, CVE-2016-1042, CVE-2016-1044, CVE-2016-1062, CVE-2016-1117)
  • Multiple vulnerabilities in the directory search path used to find resources that could lead to code execution. (CVE-2016-1087, CVE-2016-1090, CVE-2016-4106)
  • "Multiple memory corruption vulnerabilities which could lead to remote code execution (CVE-2016-1037, CVE-2016-1063, CVE-2016-1064, CVE-2016-1071, CVE-2016-1072, CVE-2016-1073, CVE-2016-1074, CVE-2016-1076, CVE-2016-1077, CVE-2016-1078, CVE-2016-1080, CVE-2016-1081, CVE-2016-1082, CVE-2016-1083, CVE-2016-1084, CVE-2016-1085, CVE-2016-1086, CVE-2016-1088, CVE-2016-1093, CVE-2016-1095, CVE-2016-1116, CVE-2016-1118, CVE-2016-1119, CVE-2016-1120, CVE-2016-1123, CVE-2016-1124, CVE-2016-1125, CVE-2016-1126, CVE-2016-1127, CVE-2016-1128, CVE-2016-1129, CVE-2016-1130, CVE-2016-4088, CVE-2016-4089, CVE-2016-4090, CVE-2016-4093, CVE-2016-4094, CVE-2016-4096, CVE-2016-4097, CVE-2016-4098, CVE-2016-4099, CVE-2016-4100, CVE-2016-4101, CVE-2016-4103, CVE-2016-4104, CVE-2016-4105, CVE-2016-4119)

    Successful exploitation could potentially allow an attacker to take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights.

     

    RECOMMENDATIONS:

    We recommend the following actions be taken:

    • Install the updates provided by Adobe immediately after appropriate testing.

    • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

    • Limit user account privileges to those required only.

    • Do not open email attachments from unknown or untrusted sources.

    REFERENCES:

    Adobe:
    https://helpx.adobe.com/security/products/acrobat/apsb16-14.html

    CVE:
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1037
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1038
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1039
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1040
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1041
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1042
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1043
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1044
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1045
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1046
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1047
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1048
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1049
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1050
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1051
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1052
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1053
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1054
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1055
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1056
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1057
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1058
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1059
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1060
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1061
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1062
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1063
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1064
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1065
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1066
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1067
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1068
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1069
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1070
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1071
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1072
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1073
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1074
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1075
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1076
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1077
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1078
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1079
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1080
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1081
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1082
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1083
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1084
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1085
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1086
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1087
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1088
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1090
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1092
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1093
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1094
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1095
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1112
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1116
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1117
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1118
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1119
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1120
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1121
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1122
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1123
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1124
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1125
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1126
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1127
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1128
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1129
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1130
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4088
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4089
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4090
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4091
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4092
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4093
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4094
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4096
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4097
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4098
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4099
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4100
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4101
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4102
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4103
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4104
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4105
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4106
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4107