Adobe released security updates on Tuesday for Adobe Reader and Acrobat. The updates, originally set to be released last week, had been delayed due to issues identified during regression testing.
Adobe Reader and Acrobat 11.0.09 for Windows and Mac address a total of nine vulnerabilities which have been assigned the following CVE identifiers: CVE-2014-0560, CVE-2014-0561, CVE-2014-0562, CVE-2014-0563, CVE-2014-0565, CVE-2014-0566, CVE-2014-0567 and CVE-2014-0568.
“These updates address vulnerabilities that could potentially allow an attacker to take over the affected system,” Adobe said in its advisory.
Wei Lei and Wu Hongjun of the Nanyang Technological University in Singapore have reported a use-after-free vulnerability that could be leveraged for arbitrary code execution (CVE-2014-0560). The two experts have also reported a couple of memory corruption bugs that could lead to code execution (CVE-2014-0565, CVE-2014-0566), and a potential denial-of-service (DoS) vulnerability related to memory corruption (CVE-2014-0563).
Frans Rosen of Detectify has reported a universal cross-site scripting (UXSS) flaw affecting the Mac versions of Reader and Acrobat (CVE-2014-0562). Heap overflow vulnerabilities that could lead to code execution (CVE-2014-0561, CVE-2014-0567) have been disclosed by Tom Ferris and an anonymous researcher through HP’s Zero Day Initiative.
James Forshaw of Google’s Project Zero uncovered a sandbox bypass flaw that could be exploited to run native code with escalated privileges on Windows (CVE-2014-0568).
The vulnerabilities are considered critical, which indicates that they allow malicious native-code to execute, potentially without a user being aware. The issues have been assigned a priority rating of 1, which means that they are either targeted, or they have a high risk of being targeted, by exploits in the wild.
Adobe did not warn about the security holes being exploited in the wild, but advises users of Adobe Reader and Acrobat 11.0.08 and earlier to update to version 11.0.09. For users of Adobe Reader and Acrobat 10.1.11 and earlier who can’t update their installations to version 11, the company has made available version 10.1.12.