An Adobe Security Bulletin has been posted to address critical security issues in Adobe Reader and Acrobat, referenced in Security Advisory APSA10-01.
Affected products include both Adobe Reader 9.3.2 and Adobe Acrobat 9.3.2 (and earlier versions) for Windows, Macintosh and UNIX, (and earlier versions) as well as both Adobe Reader 8.2.2 and Adobe Acrobat 8.2.2 (and earlier versions) for Windows and Macintosh.
The Adobe Reader update for Windows is available from here. Download links for Acrobat and Macintosh and UNIX platforms are available from the Security Bulletin. If you elect to uninstall the current version of Adobe Reader and install the updated product, as with Adobe Flash Player, be careful to UNCHECK the box shown below. It is not needed for the update!The vulnerability in Security Advisory APSA10-01 could cause the application to crash and potentially allow an attacker to take control of the affected system.
Important Note: There are reports that the issue in CVE-2010-1297, addressed in this update, relating to a memory corruption vulnerability that could lead to code execution is being actively exploited in the wild.Details of the additional mitigations reported in the Security Bulletin are as follows:
- This update mitigates a social engineering attack that could lead to code execution (CVE-2010-1240).
- This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-1285).
- This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1295).
- This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2168).
- This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2201).
- This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2202).
- This update resolves a UNIX-only memory corruption vulnerability that could lead to code execution (CVE-2010-2203).
- This update resolves a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-2204).
- This update resolves an uninitialized memory vulnerability that could lead to code execution (CVE-2010-2205).
- This update resolves an array-indexing error vulnerability that could lead to code execution (CVE-2010-2206).
- This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2207).
- This update resolves a dereference deleted heap object vulnerability that could lead to code execution (CVE-2010-2208).
- This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2209).
- This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2210).
- This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2211).
- This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2212).
No comments:
Post a Comment