Tuesday, July 14, 2015

FOUR CRITICAL Adobe Updates:
Flash 18.0.0.209
Shockwave Player 12.1.9.159
Acrobat & Reader 2015.008.20082

--

[Update 2015-07-15: I added download page links for Adobe Acrobat and the non-cloud version of Adobe Reader. Thanks to my collaborator Al for assistance!]

Adobe has released FOUR CRITICAL updates today. Below I list each of the updates, link to their Security Bulletins and link to where you can download them. I've also added a list of CVEs patched in each update. A total of 50 CVEs have been patched in these updates. I believe that's a record for Adobe.

Adobe Flash Player 18.0.0.209

Adobe Security Bulletin

Download Page

CVEs Patched
CVE-2015-5122: "A use-after-free vulnerability that could lead to code execution."
CVE-2015-5123: "A memory corruption vulnerability that could lead to code execution."

Adobe Shockwave Player 12.1.9.159

Adobe Security Bulletin

Download Page

CVEs Patched
CVE-2015-5120 - "Memory corruption vulnerabilities that could lead to code execution"
CVE-2015-5121 - "Memory corruption vulnerabilities that could lead to code execution"

*Neither CVE is yet listed at Mitre.org

Adobe Acrobat & Reader:
DC v2015.008.20082 and v11.0.12

Adobe Security Bulletin

Adobe Reader DC Download Page

Adobe Reader (non-cloud) v11.0.12 Download Page

Adobe Acrobat Pro and DC Pro Download Page

CVEs Patched
CVE-2014-0566 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2014-8450 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-3095 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-4435 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4438 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4441 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4443 - “Null-pointer dereference issues that could lead to a denial-of-service condition.”
CVE-2015-4444 - “Null-pointer dereference issues that could lead to a denial-of-service condition.”
CVE-2015-4445 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4446 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-4447 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4448 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-4449 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-4450 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-4451 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4452 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-5085 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-5086 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-5087 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5088 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-5089 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-5090 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-5091 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-5092 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-5093 - "A buffer overflow vulnerability that could lead to code execution."
CVE-2015-5094 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5095 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5096 - "Heap buffer overflow vulnerabilities that could lead to code execution."
CVE-2015-5097 - “Integer overflow vulnerabilities that could lead to code execution.”
CVE-2015-5098 - "A buffer overflow vulnerability that could lead to code execution."
CVE-2015-5099 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5100 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5101 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5102 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5103 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5104 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5105 - "A buffer overflow vulnerability that could lead to code execution."
CVE-2015-5106 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-5107 - "An information leak vulnerability."
CVE-2015-5108 - “Integer overflow vulnerabilities that could lead to code execution.”
CVE-2015-5109 - “Integer overflow vulnerabilities that could lead to code execution.”
CVE-2015-5110 - "A stack overflow vulnerability that could lead to code execution."
CVE-2015-5111 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5113 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5114 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5115 - "Memory corruption vulnerabilities that could lead to code execution."

* CVEs not linked above have not yet been listed at Mitre.org.

--

2 comments:

  1. There is actually an update to Adobe Reader 11.0.12 out there, but it's almost impossible to find...

    ReplyDelete
  2. Thank you Al! With your help I was able to find the download pages for:

    Adobe Reader 11.0.12
    https://www.adobe.com/support/downloads/detail.jsp?ftpID=5935

    AND

    Adobe Acrobat Pro 11.0.12.
    http://www.adobe.com/support/downloads/detail.jsp?ftpID=5925

    I'm adding links to both as updates to the article above.

    Theoretically, Adobe provides links to all their software updates at their 'Product updates' page:

    http://www.adobe.com/downloads/updates.html

    But all they offer there for Adobe Reader is the 'DC' cloud version. They're doing their best to hide the conventional version of Adobe Reader. They don't even mention it existing in this week's relates Security Bulletin, directing users to the 'DC' version download page instead.

    My best guess is that Adobe is trying to get its users off the conventional Adobe Reader and onto the 'DC' version instead. Therefore, I suspect the conventional version of Reader will eventually be discontinued and laid to rest.

    Business commentary:
    Anyone interested in closely following Adobe security currently has to follow a total of five different pages at their website, none of which is closely coordinated with the others. (I can list all five upon request). It's clear that Adobe is suffering from a common problem within large corporations, which is losing track of focus, collaboration and cooperation. Apple has had the same problem, with some recent signs of turning it around again. While I was working at Eastman Kodak, I watched the problem make a mess of the company.

    ReplyDelete