Multiple Vulnerabilities in Adobe Reader and Adobe Acrobat Could Allow Remote Code Execution (APSB16-14)

ITS Advisory Number: 
2016-082
Date(s) Issued: 
Tuesday, May 10, 2016
Subject: 
Multiple Vulnerabilities in Adobe Reader and Adobe Acrobat Could Allow Remote Code Execution (APSB16-14)
Overview: 

Multiple vulnerabilities in Adobe Acrobat and Adobe Reader could allow for remote code execution. Adobe Acrobat and Reader allow a user to view, create, manipulate, print and manage files in Portable Document Format (PDF). Successful exploitation could potentially allow an attacker to take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights. 

Systems Affected: 
  • Acrobat DC versions prior to 15.010.20060 for Windows and Macintosh
  • Acrobat Reader DC versions prior to 15.010.20060 for Windows and Macintosh
  • Acrobat DC versions prior to 15.006.30121 for Windows and Macintosh
  • Acrobat Reader DC versions prior to 15.006.30121 for Windows and Macintosh
  • Acrobat XI versions prior to 11.0.15 for  Windows and Macintosh
  • Reader XI versions prior to 11.0.15 for Windows and Macintosh
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Adobe Reader and Adobe Acrobat are prone to multiple vulnerabilities, the most severe of which could allow for remote code execution. These vulnerabilities are as follows:

  • These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1045, CVE-2016-1046, CVE-2016-1047, CVE-2016-1048, CVE-2016-1049, CVE-2016-1050, CVE-2016-1051, CVE-2016-1052, CVE-2016-1053, CVE-2016-1054, CVE-2016-1055, CVE-2016-1056, CVE-2016-1057, CVE-2016-1058, CVE-2016-1059, CVE-2016-1060, CVE-2016-1061, CVE-2016-1065, CVE-2016-1066, CVE-2016-1067, CVE-2016-1068, CVE-2016-1069, CVE-2016-1070, CVE-2016-1075, CVE-2016-1094, CVE-2016-1121, CVE-2016-1122, CVE-2016-4102, CVE-2016-4107).
  • These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2016-4091, CVE-2016-4092).
  • These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1037, CVE-2016-1063, CVE-2016-1064, CVE-2016-1071, CVE-2016-1072, CVE-2016-1073, CVE-2016-1074, CVE-2016-1076, CVE-2016-1077, CVE-2016-1078, CVE-2016-1080, CVE-2016-1081, CVE-2016-1082, CVE-2016-1083, CVE-2016-1084, CVE-2016-1085, CVE-2016-1086, CVE-2016-1088, CVE-2016-1093, CVE-2016-1095, CVE-2016-1116, CVE-2016-1118, CVE-2016-1119, CVE-2016-1120, CVE-2016-1123, CVE-2016-1124, CVE-2016-1125, CVE-2016-1126, CVE-2016-1127, CVE-2016-1128, CVE-2016-1129, CVE-2016-1130, CVE-2016-4088, CVE-2016-4089, CVE-2016-4090, CVE-2016-4093, CVE-2016-4094, CVE-2016-4096, CVE-2016-4097, CVE-2016-4098, CVE-2016-4099, CVE-2016-4100, CVE-2016-4101, CVE-2016-4103, CVE-2016-4104, CVE-2016-4105).
  • These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2016-1043).
  • These updates resolve memory leak vulnerabilities (CVE-2016-1079, CVE-2016-1092).
  • These updates resolve an information disclosure issue (CVE-2016-1112).
  • These updates resolve various methods to bypass restrictions on Javascript API execution (CVE-2016-1038, CVE-2016-1039, CVE-2016-1040, CVE-2016-1041, CVE-2016-1042, CVE-2016-1044, CVE-2016-1062, CVE-2016-1117).
  • These updates resolve vulnerabilities in the directory search path used to find resources that could lead to code execution (CVE-2016-1087, CVE-2016-1090, CVE-2016-4106).

Successful exploitation could potentially allow an attacker to take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights.

Actions: 
  • After appropriate testing, apply applicable patch provided by Adobe to vulnerable systems.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Limit user account privileges to those required only.
  • Do not open email attachments from unknown or untrusted sources.
References: 

Adobe:
https://helpx.adobe.com/security/products/reader/apsb16-14.html  

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1037   

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1038    

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1039

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1040

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1041

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1042

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1043

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1044

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1045

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1046

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1047

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1048

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1049

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1050

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1051

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1052

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1053

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1054

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1055

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1056

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1057

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1058

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1059

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1060

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1061

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1062

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1063

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1064

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1065

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1066

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1067

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1068

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1069

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1070

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1071

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1072

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1073

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1074

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1075

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1076

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1077

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1078

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1079

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1080

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1081  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1082  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1083

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1084

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1085

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1086

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1087

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1088

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1090

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1092  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1093

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1094

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1095

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1112

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1116

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1117

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1118

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1119

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1120

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1121

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1122

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1123

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1124

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1125

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1126

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1127

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1128

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1129

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1130

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4088

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4089

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4090

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4091

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4092

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4093

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4094

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4096

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4097

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4098

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4099

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4100

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4101

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4102

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4103  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4104

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4105

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4106

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4107