Adobe released security updates on Tuesday for Adobe Reader and Acrobat. The updates, originally set to be released last week, had been delayed due to issues identified during regression testing.
Adobe Reader and Acrobat 11.0.09 for Windows and Mac address a total of nine vulnerabilities which have been assigned the following CVE identifiers: CVE-2014-0560, CVE-2014-0561, CVE-2014-0562, CVE-2014-0563, CVE-2014-0565, CVE-2014-0566, CVE-2014-0567 and CVE-2014-0568.
“These updates address vulnerabilities that could potentially allow an attacker to take over the affected system,” Adobe said in its advisory.
Wei Lei and Wu Hongjun of the Nanyang Technological University in Singapore have reported a use-after-free vulnerability that could be leveraged for arbitrary code execution (CVE-2014-0560). The two experts have also reported a couple of memory corruption bugs that could lead to code execution (CVE-2014-0565, CVE-2014-0566), and a potential denial-of-service (DoS) vulnerability related to memory corruption (CVE-2014-0563).
Frans Rosen of Detectify has reported a universal cross-site scripting (UXSS) flaw affecting the Mac versions of Reader and Acrobat (CVE-2014-0562). Heap overflow vulnerabilities that could lead to code execution (CVE-2014-0561, CVE-2014-0567) have been disclosed by Tom Ferris and an anonymous researcher through HP’s Zero Day Initiative.
James Forshaw of Google’s Project Zero uncovered a sandbox bypass flaw that could be exploited to run native code with escalated privileges on Windows (CVE-2014-0568).
The vulnerabilities are considered critical, which indicates that they allow malicious native-code to execute, potentially without a user being aware. The issues have been assigned a priority rating of 1, which means that they are either targeted, or they have a high risk of being targeted, by exploits in the wild.
Adobe did not warn about the security holes being exploited in the wild, but advises users of Adobe Reader and Acrobat 11.0.08 and earlier to update to version 11.0.09. For users of Adobe Reader and Acrobat 10.1.11 and earlier who can’t update their installations to version 11, the company has made available version 10.1.12.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
