Adobe je izdao nadogradnju koja otklanja dvije kritične ranjivosti kod alata Adobe Reader i Acrobat 9.x u radu na operacijskom sustavu Windows. Radi se o nedefiniranim ranjivostima u komponentama U3D i PRC za koje postoje izvještaji da ih udaljeni napadači iskorištavaju za izvršavanje proizvoljnog programskog koda ili uskraćivanje usluge (narušavanje integriteta radne memorije), a time i preuzimanje kontrole nad sustavom. Korisnici alata inačica 10.1.1 s uključenim opcijama "Protected Mode", odnosno "Protected View", zaštićeni su od mogućih napada. Adobe svim korisnicima preporučuje ažuriranje ranjivih alata izdanim zakrpama.

Security updates available for Adobe Reader and Acrobat 9.x for Windows

Release date: December 16, 2011

Vulnerability identifier: APSB11-30

CVE number: CVE-2011-2462, CVE-2011-4369

Platform: Windows

SUMMARY

There have been reports of two critical vulnerabilities being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows. These vulnerabilities (CVE-2011-2462, referenced in Security Advisory APSA11-04, and CVE-2011-4369) could cause a crash and potentially allow an attacker to take control of the affected system.

While these vulnerabilities exist in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh, there is no immediate risk to users of Adobe Reader and Acrobat X for Windows (with Protected Mode/Protected View enabled), Adobe Reader and Acrobat X or earlier versions for Macintosh, and Adobe Reader 9.x for UNIX based on the current exploits and historical attack patterns.

Today's updates address these vulnerabilities in Adobe Reader and Acrobat 9.x for Windows. Adobe recommends users of Adobe Reader 9.4.6 and earlier 9.x versions for Windows update to Adobe Reader 9.4.7. Adobe recommends users of Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows update to Adobe Acrobat 9.4.7.

Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of the type currently targeting these vulnerabilities (CVE-2011-2462 and CVE-2011-4369) from executing, we are planning to address these issues in Adobe Reader and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, scheduled for January 10, 2012. We are planning to address these issues in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update scheduled for January 10, 2012. An update to address these issues in Adobe Reader 9.x for UNIX is planned for January 10, 2012. For further context on this schedule, please see the corresponding ASSET blog post.

AFFECTED SOFTWARE VERSIONS

Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and UNIX
Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh
*Note: Adobe Reader for Android and Adobe Flash Player are not affected by these issues.

SOLUTION

Adobe recommends users of Adobe Reader and Acrobat 9.4.6 and earlier 9.x versions for Windows update their software installations by following the instructions below:

Adobe Reader 9.x for Windows

Users can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.

Users can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=W....

Adobe Acrobat 9.x for Windows

Users can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.

Acrobat 9.x users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Wi....

Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of the type currently targeting these vulnerabilities (CVE-2011-2462 and CVE-2011-4369) from executing, we are planning to address these issues in Adobe Reader and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, scheduled for January 10, 2012. To verify Protected View for Adobe Acrobat X is enabled, go to Edit >Preferences > Security (Enhanced) and ensure "Files from potentially unsafe locations" or "All files" with "Enable Enhanced Security" are checked. To verify Protected Mode for Adobe Reader X is enabled, go to Edit >Preferences >General and verify that "Enable Protected Mode at startup" is checked.

We are planning to address these issues in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update scheduled for January 10, 2012. An update to address these issues in Adobe Reader 9.x for UNIX is planned for January 10, 2012. For further context on this schedule, please see the corresponding ASSET blog post.

SEVERITY RATING

Adobe categorizes these as critical updates and recommends that users apply the latest updates for their product installations by following the instructions in the "Solution" section above.

DETAILS

There have been reports of two critical vulnerabilities being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows. These vulnerabilities (CVE-2011-2462, referenced in Security Advisory APSA11-04, and CVE-2011-4369) could cause a crash and potentially allow an attacker to take control of the affected system.

While these vulnerabilities exist in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh, there is no immediate risk to users of Adobe Reader and Acrobat X for Windows (with Protected Mode/Protected View enabled), Adobe Reader and Acrobat X or earlier versions for Macintosh, and Adobe Reader 9.x for UNIX based on the current exploits and historical attack patterns.

Today's updates address these vulnerabilities in Adobe Reader and Acrobat 9.x for Windows. Adobe recommends users of Adobe Reader 9.4.6 and earlier 9.x versions for Windows update to Adobe Reader 9.4.7. Adobe recommends users of Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows update to Adobe Acrobat 9.4.7.

Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of the type currently targeting these vulnerabilities (CVE-2011-2462 and CVE-2011-4369) from executing, we are planning to address these issues in Adobe Reader and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, scheduled for January 10, 2012. We are planning to address these issues in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update scheduled for January 10, 2012. An update to address these issues in Adobe Reader 9.x for UNIX is planned for January 10, 2012. For further context on this schedule, please see the corresponding ASSET blog post.

These updates resolve a memory corruption vulnerability in the U3D component that could lead to code execution (CVE-2011-2462).

These updates resolve a memory corruption vulnerability in the PRC component that could lead to code execution (CVE-2011-4369).

These updates also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB11-28.

ACKNOWLEDGMENTS

Adobe would like to thank Lockheed Martin CIRT, MITRE and members of the Defense Security Information Exchange for reporting these issues and for working with Adobe to help protect our customers.