Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24840
HistoryOct 06, 2010 - 12:00 a.m.

Security updates available for Adobe Reader and Acrobat

2010-10-0600:00:00
vulners.com
24
JSON

Security updates available for Adobe Reader and Acrobat

Release date: October 5, 2010

Vulnerability identifier: APSB10-21

CVE Numbers: CVE-2010-2883, CVE-2010-2884, CVE-2010-2887, CVE-2010-2888,
CVE-2010-2889, CVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3621,
CVE-2010-3622, CVE-2010-3623, CVE-2010-3624, CVE-2010-3625, CVE-2010-3626,
CVE-2010-3627, CVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3631,
CVE-2010-3632, CVE-2010-3656, CVE-2010-3657, CVE-2010-3658

Platform: All Platforms
Summary

Critical vulnerabilities have been identified in Adobe Reader 9.3.4 (and earlier versions) for
Windows, Macintosh and UNIX, Adobe Acrobat 9.3.4 (and earlier versions) for Windows and
Macintosh, and Adobe Reader 8.2.4 (and earlier versions) and Adobe Acrobat 8.2.4 (and earlier
versions) for Windows and Macintosh. These vulnerabilities, including CVE-2010-2883,
referenced in Security Advisory APSA10-02, and CVE-2010-2884 referenced in the Adobe Flash
Player Security Bulletin APSB10-22, could cause the application to crash and could potentially
allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh
and UNIX update to Adobe Reader 9.4. (For Adobe Reader users on Windows and Macintosh,
who cannot update to Adobe Reader 9.4, Adobe has provided the Adobe Reader 8.2.5 update.)
Adobe recommends users of Adobe Acrobat 9.3.4 and earlier versions for Windows and
Macintosh update to Adobe Acrobat 9.4. Adobe recommends users of Adobe Acrobat 8.2.4 and
earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.5.

Note that the October 5, 2010 updates represent an accelerated release of the next quarterly
security update originally scheduled for October 12, 2010. With this accelerated schedule, Adobe
will not release additional updates for Adobe Reader and Acrobat on October 12, 2010. The next
quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.
Affected software versions

* Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
* Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh

SOLUTION

Adobe recommends users update their software installations by following the instructions below:

Adobe Reader
Users on Windows and Macintosh can utilize the product's update mechanism. The default
configuration is set to run automatic update checks on a regular schedule and can be manually
activated by choosing Help > Check for Updates.

Adobe Reader users on Windows can also find the appropriate update here:
http://get.adobe.com/reader/.

Adobe Reader users on Macintosh can also find the appropriate update here:
http://get.adobe.com/reader/.

Adobe Reader users on UNIX can find the appropriate update here:*
ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.4.0.
*Note: Adobe Reader 9.4 for UNIX will be available from the Adobe Reader Download Center at
http://get.adobe.com/reader/ by October 21, 2010.

Adobe Acrobat
Users can utilize the product's update mechanism. The default configuration is set to run
automatic update checks on a regular schedule and can be manually activated by choosing Help >
Check for Updates.

Acrobat Standard and Pro users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.

Acrobat 3D users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.
Severity rating

Adobe categorizes these as critical updates and recommends that users apply the latest updates
for their product installations by following the instructions in the "Solution" section above.
DETAILS

Critical vulnerabilities have been identified in Adobe Reader 9.3.4 (and earlier versions) for
Windows, Macintosh and UNIX, Adobe Acrobat 9.3.4 (and earlier versions) for Windows and
Macintosh, and Adobe Reader 8.2.4 (and earlier versions) and Adobe Acrobat 8.2.4 (and earlier
versions) for Windows and Macintosh. These vulnerabilities, including CVE-2010-2883,
referenced in Security Advisory APSA10-02, and CVE-2010-2884 referenced in the Adobe Flash
Player Security Bulletin APSB10-22, could cause the application to crash and could potentially
allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh
and UNIX update to Adobe Reader 9.4. (For Adobe Reader users on Windows and Macintosh,
who cannot update to Adobe Reader 9.4, Adobe has provided the Adobe Reader 8.2.5 update.)
Adobe recommends users of Adobe Acrobat 9.3.4 and earlier versions for Windows and
Macintosh update to Adobe Acrobat 9.4. Adobe recommends users of Adobe Acrobat 8.2.4 and
earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.5.

This update resolves a font-parsing input validation vulnerability that could lead to code
execution (CVE-2010-2883).
Note: There are reports that this issue is being actively exploited in the wild.

This update resolves a memory corruption vulnerability in the authplay.dll component that could
lead to code execution (CVE-2010-2884).

This update resolves multiple potential Linux-only privilege escalation issues (CVE-2010-2887).

This update resolves multiple input validation errors that could lead to code execution (Windows,
ActiveX only) (CVE-2010-2888).

This update resolves a font-parsing input validation vulnerability that could lead to code
execution (CVE-2010-2889).

This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-2890).

This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-3619).

This update resolves an image-parsing input validation vulnerability that could lead to code
execution (CVE-2010-3620).

This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-3621).

This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-3622).

This update resolves a memory corruption vulnerability that could lead to code execution
(Macintosh platform only) (CVE-2010-3623).

This update resolves an image-parsing input validation vulnerability that could lead to code
execution (Macintosh platform only) (CVE-2010-3624).

This update resolves a prefix protocol handler vulnerability that could lead to code execution
(CVE-2010-3625).

This update resolves a font-parsing input validation vulnerability that could lead to code
execution (CVE-2010-3626).

This update resolves an input validation vulnerability that could lead to code execution
(CVE-2010-3627).

This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-3628).

This update resolves an image-parsing input validation vulnerability that could lead to code
execution (CVE-2010-3629).

This update resolves a denial of service vulnerability; arbitrary code execution has not been
demonstrated, but may be possible (CVE-2010-3630).

This update resolves an array-indexing vulnerability that could lead to code execution
(Macintosh platform only) (CVE-2010-3631).

This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-3632).

This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-3658)

This update resolves a denial of service issue (CVE-2010-3656).

This update resolves a denial of service issue (CVE-2010-3657).
ACKNOWLEDGMENTS

Adobe would like to thank the following individuals and organizations for reporting the relevant
issues and for working with Adobe to help protect our customers:

    * Report submitted by Red Hat Security Response Team (CVE-2010-2887)
    * Tavis Ormandy of the Google Security Team (CVE-2010-2888, CVE-2010-2889, CVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3626, CVE-2010-3658)
    * Sebastian Apelt through TippingPoint's Zero Day Initiative (CVE-2010-3621, CVE-2010-3622)
    * James Quirk of Los Alamos, New Mexico (CVE-2010-3623)
    * Felipe Andres Manzano through the iSIGHT Partners Global Vulnerability Partnership (CVE-2010-3624)
    * Billy Rios from the Google Security Team (CVE-2010-3625)
    * Ricardo Narvaja of Core Security Technologies (CVE-2010-3627)
    * Bing Liu of Fortinet's FortiGuard Labs (CVE-2010-3628)
    * Will Dormann of CERT (CVE-2010-3629)
    * Brett Gervasoni of Sense of Security (CVE-2010-3630)
    * Knud Erik Højgaard of nSense Vulnerability Research Team (CVE-2010-3631)
    * An anonymous reporter through TippingPoint's Zero Day Initiative (CVE-2010-3632)

Related

openvas 21
nessus 25
securityvulns 7
suse 2
redhat 2
gentoo 2
prion 23
cve 23
ubuntucve 22
threatpost 7
checkpoint_advisories 5
canvas 2
saint 4
metasploit 2
cisa_kev 1
packetstorm 2
cert 2
symantec 1
freebsd 1
seebug 2
thn 3
attackerkb 1
zdi 3
exploitpack 1
exploitdb 3
openvas
openvas
SuSE Update for acroread SUSE-SA:2010:048
2010-10-19 00:00:00
SuSE Update for acroread SUSE-SA:2010:048
2010-10-19 00:00:00
Adobe Acrobat and Reader Multiple Vulnerabilities -Oct10 (Windows)
2010-10-18 00:00:00
nessus
nessus
openSUSE Security Update : acroread (openSUSE-SU-2010:0706-1)
2010-10-11 00:00:00
SuSE 10 Security Update : acroread_ja (ZYPP Patch Number 7182)
2011-01-27 00:00:00
SuSE 11 / 11.1 Security Update : acroread_ja (SAT Patch Numbers 3272 / 3273)
2010-12-02 00:00:00
securityvulns
securityvulns
Adobe Acrobat / Reader multiple security vulnerabilities
2010-10-08 00:00:00
ZDI-10-192: Adobe Acrobat Reader ICC mluc Remote Code Execution Vulnerability
2010-10-06 00:00:00
Adobe Reader 9.3.4 Multiple Memory Corruption - Security Advisory - SOS-10-003
2010-10-08 00:00:00
suse
suse
remote code execution in acroread
2010-10-11 17:38:18
remote code execution in flash-player
2010-09-22 16:10:35
redhat
redhat
(RHSA-2010:0743) Critical: acroread security update
2010-10-06 00:00:00
(RHSA-2010:0706) Critical: flash-plugin security update
2010-09-21 00:00:00
gentoo
gentoo
Adobe Reader: Multiple vulnerabilities
2011-01-21 00:00:00
Adobe Flash Player: Multiple vulnerabilities
2011-01-21 00:00:00
prion
prion
Memory corruption
2010-10-06 17:00:00
Memory corruption
2010-10-06 17:00:00
Memory corruption
2010-10-06 17:00:00
cve
cve
CVE-2010-3619
2010-10-06 17:00:00
CVE-2010-3632
2010-10-06 17:00:00
CVE-2010-3658
2010-10-06 17:00:00
ubuntucve
ubuntucve
CVE-2010-3621
2010-10-06 00:00:00
CVE-2010-3632
2010-10-06 00:00:00
CVE-2010-3628
2010-10-06 00:00:00
threatpost
threatpost
Adobe to Release Critical Reader Patch Early
2010-10-01 13:36:30
Adobe Issues Huge Patch for Reader and Acrobat
2010-10-06 11:42:03
Ongoing Targeted Attack Campaign Going After Defense, Aerospace Industries
2012-01-31 17:05:17
checkpoint_advisories
checkpoint_advisories
Adobe Reader ACE.dll ICC Stream mluc Structure Integer Overflow (APSB10-21; CVE-2010-3621; CVE-2010-3622)
2010-10-27 00:00:00
Adobe Multiple Products Flash Content Parsing Code Execution (APSA10-03: CVE-2010-2884) (CVE-2010-2884)
2014-08-24 00:00:00
Adobe Reader and Acrobat TTF SING Table Buffer Overflow (APSA10-02; CVE-2010-2883)
2010-09-12 00:00:00
canvas
canvas
Immunity Canvas: FLASH_WILD2
2010-09-15 18:00:00
Immunity Canvas: ACROBAT_TTF_SING
2010-09-09 22:00:00
saint
saint
Adobe Reader CoolType.dll buffer overflow
2010-09-17 00:00:00
Adobe Reader CoolType.dll buffer overflow
2010-09-17 00:00:00
Adobe Reader CoolType.dll buffer overflow
2010-09-17 00:00:00
metasploit
metasploit
Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow
2010-09-09 23:23:40
Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow
2010-09-08 23:05:18
cisa_kev
cisa_kev
Adobe Acrobat and Reader Stack-Based Buffer Overflow Vulnerability
2022-06-08 00:00:00
packetstorm
packetstorm
Adobe Reader Smart INdependent Glyplets (SING) Table Handling Vulnerability
2010-09-09 00:00:00
nSense Vulnerability Research Security Advisory NSENSE-2010-001
2010-10-06 00:00:00
cert
cert
Adobe Flash unspecified code execution vulnerability
2010-09-14 00:00:00
Adobe Reader and Acrobat Font Parsing Buffer Overflow Vulnerability
2010-09-14 00:00:00
symantec
symantec
Adobe Flash Player CVE-2010-2884 Unspecified Remote Code Execution Vulnerability
2010-09-13 00:00:00
freebsd
freebsd
linux-flashplugin -- remote code execution
2010-09-14 00:00:00
seebug
seebug
Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow
2014-07-01 00:00:00
Adobe Acrobat and Reader Array Indexing Remote Code Execution Vulnerability
2014-07-01 00:00:00
thn
thn
Plugx RAT targeting government organizations in Japan using spear phishing
2012-09-11 16:49:00
Chinese Hackers spied on European Diplomats during recent G20 meetings
2013-12-13 02:59:00
Bleeding Life 2 Exploit Pack Released
2011-10-24 04:30:00
attackerkb
attackerkb
CVE-2010-2883
2010-09-09 00:00:00
zdi
zdi
Adobe Acrobat Reader ICC mluc Remote Code Execution Vulnerability
2010-10-06 00:00:00
Adobe Acrobat Reader Multimedia Playing Remote Code Execution Vulnerability
2010-10-06 00:00:00
Adobe Reader ICC Parsing Remote Code Execution Vulnerability
2010-10-06 00:00:00
exploitpack
exploitpack
Adobe Acrobat and Reader - Array Indexing Remote Code Execution
2010-10-06 00:00:00
exploitdb
exploitdb
Adobe CoolType - SING Table 'uniqueName' Remote Stack Buffer Overflow (Metasploit) (1)
2010-09-20 00:00:00
Adobe CoolType - SING Table 'uniqueName' Local Stack Buffer Overflow (Metasploit) (2)
2010-09-25 00:00:00
Adobe Acrobat and Reader - Array Indexing Remote Code Execution
2010-10-06 00:00:00
JSON
Related for SECURITYVULNS:DOC:24840
openvas21nessus25securityvulns7suse2redhat2gentoo2prion23cve23ubuntucve22threatpost7checkpoint_advisories5canvas2saint4metasploit2cisa_kev1packetstorm2cert2symantec1freebsd1seebug2thn3attackerkb1zdi3exploitpack1exploitdb3