Multiple Vulnerabilities in Adobe Acrobat and Adobe Reader Could Allow for Arbitrary Code Execution (APSB16-33)

ITS Advisory Number: 
2016-177
Date(s) Issued: 
Tuesday, October 11, 2016
Subject: 
Multiple Vulnerabilities in Adobe Acrobat and Adobe Reader Could Allow for Arbitrary Code Execution (APSB16-33)
Overview: 

Multiple vulnerabilities in Adobe Acrobat and Adobe Reader could allow for arbitrary code execution. Adobe Acrobat and Reader allow a user to view, create, manipulate, print and manage files in Portable Document Format (PDF). If the current user is logged on with administrative user rights, an attacker could take control of an affected system. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed attacks may cause a denial-of-service condition.

Systems Affected: 
  • Adobe

  • Acrobat Reader DC for Windows and Macintosh versions prior to 15.020.20039

  • Acrobat DC for Windows and Macintosh versions prior to 15.006.30243

  • Adobe Acrobat Reader DC for Windows and Macintosh versions prior to 15.006.30243

  • Adobe Acrobat XI for Windows and Macintosh versions prior to 11.0.18

  • Adobe Reader XI for Windows and Macintosh versions prior to 11.0.18

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Adobe Acrobat and Reader are prone to multiple vulnerabilities, the most severe of which could allow for arbitrary code execution. The vulnerabilities are as follows:

  • Multiple use-after-free vulnerabilities that could lead to code execution (CVE-2016-1089, CVE-2016-1091, CVE-2016-6944, CVE-2016-6945, CVE-2016-6946, CVE-2016-6949, CVE-2016-6952, CVE-2016-6953, CVE-2016-6961, CVE-2016-6962, CVE-2016-6963, CVE-2016-6964, CVE-2016-6965, CVE-2016-6967, CVE-2016-6968, CVE-2016-6969, CVE-2016-6971, CVE-2016-6979, CVE-2016-6988, CVE-2016-6993).
  • Multiple heap buffer overflow vulnerabilities that could lead to code execution (CVE-2016-6939, CVE-2016-6994).
  • Multiple memory corruption vulnerabilities that could lead to code execution (CVE-2016-6940, CVE-2016-6941, CVE-2016-6942, CVE-2016-6943, CVE-2016-6947, CVE-2016-6948, CVE-2016-6950, CVE-2016-6951, CVE-2016-6954, CVE-2016-6955, CVE-2016-6956, CVE-2016-6959, CVE-2016-6960, CVE-2016-6966, CVE-2016-6970, CVE-2016-6972, CVE-2016-6973, CVE-2016-6974, CVE-2016-6975, CVE-2016-6976, CVE-2016-6977, CVE-2016-6978, CVE-2016-6995, CVE-2016-6996, CVE-2016-6997, CVE-2016-6998, CVE-2016-7000, CVE-2016-7001, CVE-2016-7002, CVE-2016-7003, CVE-2016-7004, CVE-2016-7005, CVE-2016-7006, CVE-2016-7007, CVE-2016-7008, CVE-2016-7009, CVE-2016-7010, CVE-2016-7011, CVE-2016-7012, CVE-2016-7013, CVE-2016-7014, CVE-2016-7015, CVE-2016-7016, CVE-2016-7017, CVE-2016-7018, CVE-2016-7019).
  • Multiple methods to bypass restrictions on Javascript API execution (CVE-2016-6957).
  • A security bypass vulnerability (CVE-2016-6958).
  • An integer overflow vulnerability that could lead to code execution (CVE-2016-6999).
Actions: 
  • After appropriate testing, immediately install the updates provided by Adobe.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Limit user account privileges to those required only.
  • Do not open email attachments from unknown or untrusted sources.
References: 

Adobe:

https://helpx.adobe.com/security/products/acrobat/apsb16-33.html

 

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1089

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1091

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6939

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6940

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6941

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6942

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6943

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6944

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6945

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6946

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6947

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6948

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6949

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6950

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6951

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6952

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6953

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6954

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6955

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6956

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6957

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6958

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6959

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6960

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6961

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6962

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6963

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6964

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6965

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6966

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6967

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6968

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6969

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6970

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6971

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6972

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6973

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6974

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6975

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6976

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6977

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6978

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6979

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6988

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6993

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6994

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6995

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6996

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6997

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6998

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6999

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7000

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7001

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7002

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7003

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7004

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7005

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7006

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7007

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7008

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7009

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7010

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7011

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7012

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7013

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7014

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7015

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7016

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7017

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7018

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7019