The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Adobe Reader

vulnerability announce CVE-2014-8452 CVE-2014-9160 CVE-2014-9161

Adobe Reader: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Adobe Reader.
Impacted products: Acrobat.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 34.
Creation date: 12/05/2015.
Revision date: 07/06/2016.
Identifiers: 258, APSB15-10, CERTFR-2015-AVI-227, CVE-2014-8452, CVE-2014-9160, CVE-2014-9161, CVE-2015-3046, CVE-2015-3047, CVE-2015-3048, CVE-2015-3049, CVE-2015-3050, CVE-2015-3051, CVE-2015-3052, CVE-2015-3053, CVE-2015-3054, CVE-2015-3055, CVE-2015-3056, CVE-2015-3057, CVE-2015-3058, CVE-2015-3059, CVE-2015-3060, CVE-2015-3061, CVE-2015-3062, CVE-2015-3063, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3070, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, CVE-2015-3074, CVE-2015-3075, CVE-2015-3076, VIGILANCE-VUL-16882, ZDI-15-195, ZDI-15-196, ZDI-15-197, ZDI-15-198, ZDI-15-199, ZDI-15-200, ZDI-15-201, ZDI-15-202, ZDI-15-203, ZDI-15-204, ZDI-15-205, ZDI-15-206, ZDI-15-207, ZDI-15-208, ZDI-15-209, ZDI-15-210, ZDI-15-211, ZDI-15-212, ZDI-15-213, ZDI-15-214, ZDI-15-215.

Description of the vulnerability

Several vulnerabilities were announced in Adobe Reader.

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3053, ZDI-15-215]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3054, ZDI-15-214]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3055, ZDI-15-213]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3059, ZDI-15-212]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3075]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9160]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3048]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9161, ZDI-15-199]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3046]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3049]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3050]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3051]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3052]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3056, ZDI-15-209]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3057, ZDI-15-210]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3070]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-3076]

An attacker can read a memory fragment, in order to obtain sensitive information. [severity:1/4; CVE-2015-3058, ZDI-15-211]

An attacker can bypass restrictions of the Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2015-3060, ZDI-15-208]

An attacker can bypass restrictions of the Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2015-3061, ZDI-15-206]

An attacker can bypass restrictions of the Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2015-3062, ZDI-15-207]

An attacker can bypass restrictions of the Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2015-3063, ZDI-15-203]

An attacker can bypass restrictions of the Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2015-3064, ZDI-15-204]

An attacker can bypass restrictions of the Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2015-3065]

An attacker can bypass restrictions of the Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2015-3066, ZDI-15-200]

An attacker can bypass restrictions of the Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2015-3067, ZDI-15-201]

An attacker can bypass restrictions of the Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2015-3068, ZDI-15-202]

An attacker can bypass restrictions of the Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2015-3069, ZDI-15-205]

An attacker can bypass restrictions of the Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2015-3071, ZDI-15-195]

An attacker can bypass restrictions of the Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2015-3072, ZDI-15-196]

An attacker can bypass restrictions of the Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2015-3073, ZDI-15-197]

An attacker can bypass restrictions of the Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2015-3074, ZDI-15-198]

An attacker can force a NULL pointer to be dereferenced, in order to trigger a denial of service. [severity:2/4; CVE-2015-3047]

An attacker can transmit malicious XML data, in order to read a file, scan sites, or trigger a denial of service. [severity:2/4; CVE-2014-8452]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-1037 CVE-2016-1038 CVE-2016-1039

Adobe Acrobat/Reader: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Adobe Acrobat/Reader.
Impacted products: Acrobat, Acrobat DC Classic, Acrobat DC Continuous.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 93.
Creation date: 10/05/2016.
Identifiers: APSB16-14, CVE-2016-1037, CVE-2016-1038, CVE-2016-1039, CVE-2016-1040, CVE-2016-1041, CVE-2016-1042, CVE-2016-1043, CVE-2016-1044, CVE-2016-1045, CVE-2016-1046, CVE-2016-1047, CVE-2016-1048, CVE-2016-1049, CVE-2016-1050, CVE-2016-1051, CVE-2016-1052, CVE-2016-1053, CVE-2016-1054, CVE-2016-1055, CVE-2016-1056, CVE-2016-1057, CVE-2016-1058, CVE-2016-1059, CVE-2016-1060, CVE-2016-1061, CVE-2016-1062, CVE-2016-1063, CVE-2016-1064, CVE-2016-1065, CVE-2016-1066, CVE-2016-1067, CVE-2016-1068, CVE-2016-1069, CVE-2016-1070, CVE-2016-1071, CVE-2016-1072, CVE-2016-1073, CVE-2016-1074, CVE-2016-1075, CVE-2016-1076, CVE-2016-1077, CVE-2016-1078, CVE-2016-1079, CVE-2016-1080, CVE-2016-1081, CVE-2016-1082, CVE-2016-1083, CVE-2016-1084, CVE-2016-1085, CVE-2016-1086, CVE-2016-1087, CVE-2016-1088, CVE-2016-1090, CVE-2016-1092, CVE-2016-1093, CVE-2016-1094, CVE-2016-1095, CVE-2016-1112, CVE-2016-1116, CVE-2016-1117, CVE-2016-1118, CVE-2016-1119, CVE-2016-1120, CVE-2016-1121, CVE-2016-1122, CVE-2016-1123, CVE-2016-1124, CVE-2016-1125, CVE-2016-1126, CVE-2016-1127, CVE-2016-1128, CVE-2016-1129, CVE-2016-1130, CVE-2016-4088, CVE-2016-4089, CVE-2016-4090, CVE-2016-4091, CVE-2016-4092, CVE-2016-4093, CVE-2016-4094, CVE-2016-4096, CVE-2016-4097, CVE-2016-4098, CVE-2016-4099, CVE-2016-4100, CVE-2016-4101, CVE-2016-4102, CVE-2016-4103, CVE-2016-4104, CVE-2016-4105, CVE-2016-4106, CVE-2016-4107, CVE-2016-4119, Version PDF, VIGILANCE-VUL-19573, ZDI-16-285, ZDI-16-286, ZDI-16-287, ZDI-16-288, ZDI-16-289, ZDI-16-290, ZDI-16-291, ZDI-16-292, ZDI-16-293, ZDI-16-294, ZDI-16-295, ZDI-16-296, ZDI-16-297, ZDI-16-298, ZDI-16-299, ZDI-16-300, ZDI-16-301, ZDI-16-302, ZDI-16-303, ZDI-16-304, ZDI-16-305, ZDI-16-306, ZDI-16-307, ZDI-16-308, ZDI-16-309, ZDI-16-310, ZDI-16-311, ZDI-16-312, ZDI-16-313, ZDI-16-315, ZDI-16-316, ZDI-16-317, ZDI-16-318, ZDI-16-319, ZDI-16-320, ZDI-16-321, ZDI-16-322, ZDI-16-323, ZDI-16-324, ZDI-16-325, ZDI-16-326, ZDI-16-327, ZDI-16-328, ZDI-16-329, ZDI-16-359.

Description of the vulnerability

Several vulnerabilities were announced in Adobe Acrobat/Reader.

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1045, ZDI-16-293]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1046, ZDI-16-294]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1047, ZDI-16-295]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1048, ZDI-16-296]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1049, ZDI-16-297]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1050, ZDI-16-298]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1051, ZDI-16-299]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1052, ZDI-16-300]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1053, ZDI-16-301]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1054, ZDI-16-302]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1055, ZDI-16-303]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1056, ZDI-16-304]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1057, ZDI-16-305]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1058, ZDI-16-306]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1059, ZDI-16-307]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1060, ZDI-16-308]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1061, ZDI-16-309]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1065, ZDI-16-312]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1066, ZDI-16-313]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1067, ZDI-16-315]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1068, ZDI-16-316]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1069, ZDI-16-317]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1070, ZDI-16-318]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1075, ZDI-16-323]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1094, ZDI-16-328, ZDI-16-359]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1121]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1122]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4102]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4107]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4091]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4092]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1037]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1063, ZDI-16-311]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1064]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1071, ZDI-16-319]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1072, ZDI-16-320]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1073, ZDI-16-321]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1074, ZDI-16-322]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1076, ZDI-16-324]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1077]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1078, ZDI-16-325]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1080, ZDI-16-327]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1081]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1082]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1083]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1084]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1085]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1086]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1088]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1093]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1095, ZDI-16-329]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1116]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1118]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1119]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1120]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1123]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1124]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1125]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1126]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1127]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1128]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1129]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1130]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4088]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4089]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4090]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4093]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4094]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4096]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4097]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4098]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4099]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4100]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4101]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4103]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4104]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4105]

An attacker can generate an integer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1043, ZDI-16-286]

An attacker can create a memory leak, in order to trigger a denial of service. [severity:2/4; CVE-2016-1079, ZDI-16-326]

An attacker can create a memory leak, in order to trigger a denial of service. [severity:2/4; CVE-2016-1092]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2016-1112]

An attacker can bypass security features, in order to escalate his privileges. [severity:3/4; CVE-2016-1038, ZDI-16-292]

An attacker can bypass security features, in order to escalate his privileges. [severity:3/4; CVE-2016-1039, ZDI-16-290]

An attacker can bypass security features, in order to escalate his privileges. [severity:3/4; CVE-2016-1040, ZDI-16-289]

An attacker can bypass security features, in order to escalate his privileges. [severity:3/4; CVE-2016-1041, ZDI-16-288]

An attacker can bypass security features, in order to escalate his privileges. [severity:3/4; CVE-2016-1042, ZDI-16-287]

An attacker can bypass security features, in order to escalate his privileges. [severity:3/4; CVE-2016-1044, ZDI-16-291]

An attacker can bypass security features, in order to escalate his privileges. [severity:3/4; CVE-2016-1062, ZDI-16-310]

An attacker can bypass security features, in order to escalate his privileges. [severity:3/4; CVE-2016-1117, ZDI-16-285]

An attacker can use a vulnerability in Directory Search Path, in order to run code. [severity:3/4; CVE-2016-1087]

An attacker can use a vulnerability in Directory Search Path, in order to run code. [severity:3/4; CVE-2016-1090]

An attacker can use a vulnerability in Directory Search Path, in order to run code. [severity:3/4; CVE-2016-4106]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4119]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2016-1007 CVE-2016-1008 CVE-2016-1009

Adobe Reader/Acrobat: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Adobe Reader/Acrobat.
Impacted products: Acrobat, Acrobat DC Classic, Acrobat DC Continuous.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 08/03/2016.
Identifiers: APSB16-09, CERTFR-2016-AVI-085, CVE-2016-1007, CVE-2016-1008, CVE-2016-1009, VIGILANCE-VUL-19120, ZDI-16-189, ZDI-16-190, ZDI-16-191.

Description of the vulnerability

Several vulnerabilities were announced in Adobe Reader/Acrobat.

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1007, ZDI-16-189]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1009, ZDI-16-191]

An attacker can use a vulnerability, in order to run code. [severity:3/4; CVE-2016-1008, ZDI-16-190]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2016-0931 CVE-2016-0932 CVE-2016-0933

Adobe Acrobat/Reader: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Adobe Acrobat/Reader.
Impacted products: Acrobat, Acrobat DC Classic, Acrobat DC Continuous.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 18.
Creation date: 12/01/2016.
Identifiers: APSB16-02, CERTFR-2016-AVI-019, CVE-2016-0931, CVE-2016-0932, CVE-2016-0933, CVE-2016-0934, CVE-2016-0935, CVE-2016-0936, CVE-2016-0937, CVE-2016-0938, CVE-2016-0939, CVE-2016-0940, CVE-2016-0941, CVE-2016-0942, CVE-2016-0943, CVE-2016-0944, CVE-2016-0945, CVE-2016-0946, CVE-2016-0947, CVE-2016-1111, VIGILANCE-VUL-18696, ZDI-16-008, ZDI-16-009, ZDI-16-010, ZDI-16-011, ZDI-16-012, ZDI-16-013, ZDI-16-014, ZDI-16-015, ZDI-16-016, ZDI-16-017, ZDI-16-273.

Description of the vulnerability

Several vulnerabilities were announced in Adobe Acrobat/Reader.

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0932, ZDI-16-008]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0934, ZDI-16-016]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0937, ZDI-16-011]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0940]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0941, ZDI-16-010]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0935, ZDI-16-017]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0931, ZDI-16-009]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0933]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0936, ZDI-16-014]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0938, ZDI-16-013]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0939, ZDI-16-015]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0942]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0944]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0945]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-0946]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:2/4; CVE-2016-0943, ZDI-16-012]

An attacker can use a vulnerability in Adobe Download Manager, in order to run code. [severity:3/4; CVE-2016-0947]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1111, ZDI-16-273]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2015-5583 CVE-2015-5586 CVE-2015-6683

Adobe Acrobat, Reader: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Adobe Acrobat, Reader.
Impacted products: Acrobat, Acrobat DC Classic, Acrobat DC Continuous.
Severity: 3/4.
Consequences: user access/rights, data reading, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 59.
Creation date: 13/10/2015.
Identifiers: APSB15-24, CERTFR-2015-AVI-427, COSIG-2015-001, CVE-2015-5583, CVE-2015-5586, CVE-2015-6683, CVE-2015-6684, CVE-2015-6685, CVE-2015-6686, CVE-2015-6687, CVE-2015-6688, CVE-2015-6689, CVE-2015-6690, CVE-2015-6691, CVE-2015-6692, CVE-2015-6693, CVE-2015-6694, CVE-2015-6695, CVE-2015-6696, CVE-2015-6697, CVE-2015-6698, CVE-2015-6699, CVE-2015-6700, CVE-2015-6701, CVE-2015-6702, CVE-2015-6703, CVE-2015-6704, CVE-2015-6705, CVE-2015-6706, CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-6713, CVE-2015-6714, CVE-2015-6715, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7614, CVE-2015-7615, CVE-2015-7616, CVE-2015-7617, CVE-2015-7618, CVE-2015-7619, CVE-2015-7620, CVE-2015-7621, CVE-2015-7622, CVE-2015-7623, CVE-2015-7624, CVE-2015-7650, CVE-2015-7829, CVE-2015-8458, VIGILANCE-VUL-18083, ZDI-15-465, ZDI-15-466, ZDI-15-467, ZDI-15-468, ZDI-15-469, ZDI-15-470, ZDI-15-471, ZDI-15-472, ZDI-15-473, ZDI-15-474, ZDI-15-475, ZDI-15-476, ZDI-15-477, ZDI-15-478, ZDI-15-479, ZDI-15-480, ZDI-15-481, ZDI-15-482, ZDI-15-483, ZDI-15-484, ZDI-15-485, ZDI-15-486, ZDI-15-487, ZDI-15-488, ZDI-15-489, ZDI-15-490, ZDI-15-491, ZDI-15-492, ZDI-15-493, ZDI-15-494, ZDI-15-495, ZDI-15-496, ZDI-15-497, ZDI-15-498, ZDI-15-499, ZDI-15-500, ZDI-15-501, ZDI-15-502, ZDI-15-503, ZDI-15-504, ZDI-15-505, ZDI-15-506, ZDI-15-507, ZDI-15-508, ZDI-15-509, ZDI-15-510, ZDI-15-534, ZDI-15-569, ZDI-15-637.

Description of the vulnerability

Several vulnerabilities were announced in Adobe Acrobat, Reader.

An attacker can force a read at an invalid address, in order to trigger a denial of service, or to read data. [severity:2/4; CVE-2015-6692]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6689, ZDI-15-470]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6688, ZDI-15-469]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6690, ZDI-15-474]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-7615, ZDI-15-493]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-7617, ZDI-15-492]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6687]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6684]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6691]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-7621, ZDI-15-508]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5586]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6683]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6696, ZDI-15-569]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6698, ZDI-15-476]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6685, ZDI-15-467]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6693, ZDI-15-473]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6694, ZDI-15-471]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6695, ZDI-15-472]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6686, ZDI-15-466]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-7622]

An attacker can create a memory leak, in order to trigger a denial of service. [severity:1/4; CVE-2015-6699, ZDI-15-477]

An attacker can create a memory leak, in order to trigger a denial of service. [severity:1/4; CVE-2015-6700, ZDI-15-478]

An attacker can create a memory leak, in order to trigger a denial of service. [severity:1/4; CVE-2015-6701, ZDI-15-479]

An attacker can create a memory leak, in order to trigger a denial of service. [severity:1/4; CVE-2015-6702, ZDI-15-480]

An attacker can create a memory leak, in order to trigger a denial of service. [severity:1/4; CVE-2015-6703, ZDI-15-481]

An attacker can create a memory leak, in order to trigger a denial of service. [severity:1/4; CVE-2015-6704, ZDI-15-482]

An attacker can create a memory leak, in order to trigger a denial of service. [severity:1/4; CVE-2015-6697, ZDI-15-475]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2015-5583, ZDI-15-468]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2015-6705]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2015-6706]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2015-7624]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6707, ZDI-15-483]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6708, ZDI-15-484]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6709, ZDI-15-486]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6710, ZDI-15-487]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6711, ZDI-15-485]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6712, ZDI-15-488]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-7614, ZDI-15-509]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-7616, ZDI-15-494]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6716, ZDI-15-507]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6717, ZDI-15-499]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6718, ZDI-15-503]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6719, ZDI-15-504]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6720, ZDI-15-506]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6721, ZDI-15-502]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6722, ZDI-15-501]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6723, ZDI-15-497]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6724, ZDI-15-495]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6725, ZDI-15-505]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-7618, ZDI-15-498]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-7619, ZDI-15-500]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-7620, ZDI-15-496]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-7623, ZDI-15-510]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6713, ZDI-15-489]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6714, ZDI-15-490]

An attacker can bypass security features in Javascript API, in order to escalate his privileges. [severity:3/4; CVE-2015-6715, ZDI-15-491]

An attacker can delete a file, in order to trigger a denial of service. [severity:2/4; CVE-2015-7829, ZDI-15-465]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-7650, ZDI-15-534]

An attacker can generate a buffer overflow in AGM, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-8458, ZDI-15-637]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-0566 CVE-2014-8450 CVE-2015-3095

Adobe Acrobat/Reader: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Adobe Acrobat/Reader.
Impacted products: Acrobat, Acrobat DC Classic, Acrobat DC Continuous.
Severity: 3/4.
Consequences: user access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 46.
Creation date: 15/07/2015.
Identifiers: APSB15-15, CVE-2014-0566, CVE-2014-8450, CVE-2015-3095, CVE-2015-4435, CVE-2015-4438, CVE-2015-4441, CVE-2015-4443, CVE-2015-4444, CVE-2015-4445, CVE-2015-4446, CVE-2015-4447, CVE-2015-4448, CVE-2015-4449, CVE-2015-4450, CVE-2015-4451, CVE-2015-4452, CVE-2015-5085, CVE-2015-5086, CVE-2015-5087, CVE-2015-5088, CVE-2015-5089, CVE-2015-5090, CVE-2015-5091, CVE-2015-5092, CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015-5096, CVE-2015-5097, CVE-2015-5098, CVE-2015-5099, CVE-2015-5100, CVE-2015-5101, CVE-2015-5102, CVE-2015-5103, CVE-2015-5104, CVE-2015-5105, CVE-2015-5106, CVE-2015-5107, CVE-2015-5108, CVE-2015-5109, CVE-2015-5110, CVE-2015-5111, CVE-2015-5113, CVE-2015-5114, CVE-2015-5115, VIGILANCE-VUL-17365, ZDI-15-303, ZDI-15-304, ZDI-15-305, ZDI-15-306, ZDI-15-307, ZDI-15-308, ZDI-15-309, ZDI-15-310, ZDI-15-311, ZDI-15-312, ZDI-15-313, ZDI-15-314, ZDI-15-315, ZDI-15-316, ZDI-15-317, ZDI-15-318, ZDI-15-319, ZDI-15-320, ZDI-15-321, ZDI-15-322, ZDI-15-323, ZDI-15-324, ZDI-15-368, ZDI-15-369, ZDI-15-370, ZDI-15-371.

Description of the vulnerability

Several vulnerabilities were announced in Adobe Acrobat/Reader.

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5093, ZDI-15-320]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5096]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5098]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5105]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5087]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5094, ZDI-15-321]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5100, ZDI-15-303]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5102, ZDI-15-307]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5103, ZDI-15-305]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5104, ZDI-15-306]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-3095]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5115, ZDI-15-312]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2014-0566]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2015-5107, ZDI-15-371]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2015-4449]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2015-4450]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2015-5088]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2015-5089]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2015-5092]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2014-8450]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5110, ZDI-15-368]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-4448]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5095, ZDI-15-322]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5099]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5101, ZDI-15-304]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5111, ZDI-15-308]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5113, ZDI-15-323]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5114, ZDI-15-324]

An attacker can bypass security features, in order to escalate his privileges. [severity:3/4; CVE-2015-4446]

An attacker can bypass security features, in order to escalate his privileges. [severity:3/4; CVE-2015-5090, ZDI-15-314]

An attacker can bypass security features, in order to escalate his privileges. [severity:3/4; CVE-2015-5106, ZDI-15-370]

An attacker can trigger a fatal error, in order to trigger a denial of service. [severity:2/4; CVE-2015-5091, ZDI-15-315]

An attacker can generate an integer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5097]

An attacker can generate an integer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5108]

An attacker can generate an integer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-5109, ZDI-15-369]

An attacker can bypass security features, in order to escalate his privileges. [severity:2/4; CVE-2015-4435, ZDI-15-316]

An attacker can bypass security features, in order to escalate his privileges. [severity:2/4; CVE-2015-4438, ZDI-15-317]

An attacker can bypass security features, in order to escalate his privileges. [severity:2/4; CVE-2015-4441, ZDI-15-318]

An attacker can bypass security features, in order to escalate his privileges. [severity:2/4; CVE-2015-4445, ZDI-15-313]

An attacker can bypass security features, in order to escalate his privileges. [severity:2/4; CVE-2015-4447, ZDI-15-319]

An attacker can bypass security features, in order to escalate his privileges. [severity:2/4; CVE-2015-4451]

An attacker can bypass security features, in order to escalate his privileges. [severity:2/4; CVE-2015-4452, ZDI-15-309]

An attacker can bypass security features, in order to escalate his privileges. [severity:2/4; CVE-2015-5085, ZDI-15-310]

An attacker can bypass security features, in order to escalate his privileges. [severity:2/4; CVE-2015-5086, ZDI-15-311]

An attacker can force a NULL pointer to be dereferenced, in order to trigger a denial of service. [severity:1/4; CVE-2015-4443]

An attacker can force a NULL pointer to be dereferenced, in order to trigger a denial of service. [severity:1/4; CVE-2015-4444]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-3095

Adobe Reader: unreachable memory reading via CoolType.dll

Synthesis of the vulnerability

An attacker can force a read at an invalid address in CoolType.dll of Adobe Reader, in order to trigger a denial of service.
Impacted products: Acrobat.
Severity: 1/4.
Consequences: denial of service on client.
Provenance: internet client.
Creation date: 13/05/2015.
Identifiers: CVE-2015-3095, VIGILANCE-VUL-16898.

Description of the vulnerability

The Adobe Reader product uses the Type1/CFF CharString interpreter in CoolType.dl to display fonts.

However, it tries to read an unreachable memory area, which triggers a fatal error.

An attacker can therefore force a read at an invalid address in CoolType.dll of Adobe Reader, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2014-8445 CVE-2014-8446 CVE-2014-8447

Adobe Acrobat, Reader: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Adobe Acrobat, Reader.
Impacted products: Acrobat.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 22.
Creation date: 09/12/2014.
Identifiers: APSB14-28, CERTFR-2014-AVI-523, CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8448, CVE-2014-8449, CVE-2014-8451, CVE-2014-8452, CVE-2014-8453, CVE-2014-8454, CVE-2014-8455, CVE-2014-8456, CVE-2014-8457, CVE-2014-8458, CVE-2014-8459, CVE-2014-8460, CVE-2014-8461, CVE-2014-9150, CVE-2014-9158, CVE-2014-9159, CVE-2014-9160, CVE-2014-9161, CVE-2014-9165, VIGILANCE-VUL-15762.

Description of the vulnerability

Several vulnerabilities were announced in Adobe Acrobat, Reader.

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-8454]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-8455]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9165]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-8457]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-8460]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9159]

An attacker can generate an integer overflow, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-8449]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-8445]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-8446]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-8447]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-8456]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-8458]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-8459]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-8461]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9158]

An attacker can bypass access restrictions, in order to alter a file. [severity:2/4; CVE-2014-9150]

An attacker can use Javascript API, in order to obtain sensitive information. [severity:2/4; CVE-2014-8448]

An attacker can use Javascript API, in order to obtain sensitive information. [severity:2/4; CVE-2014-8451]

An attacker can transmit malicious XML data, in order to read a file, scan sites, or trigger a denial of service. [severity:2/4; CVE-2014-8452]

An attacker can bypass the same origin policy, in order to obtain sensitive information. [severity:2/4; CVE-2014-8453]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9160]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9161]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2014-9150

Adobe Acrobat, Reader: file creation via MoveFileEx

Synthesis of the vulnerability

An attacker can use MoveFileEx on Adobe Acrobat or Reader, in order to store a malicious program on victim's computer.
Impacted products: Acrobat.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: user shell.
Creation date: 02/12/2014.
Identifiers: CVE-2014-9150, VIGILANCE-VUL-15731.

Description of the vulnerability

The Adobe Acrobat or Reader product has a sandbox to limit access to the file system.

However, using a NTFS Junction Point, and the MoveFileEx() function, an attacker can create a file outside the sandbox.

This vulnerability has to be used with another vulnerability allowing code execution in the sandbox.

An attacker can therefore use MoveFileEx on Adobe Acrobat or Reader, in order to store a malicious program on victim's computer.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-5315

Adobe Acrobat: Cross Site Scripting of Help Page

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting in the Help Page of Adobe Acrobat, in order to execute JavaScript code in the context of the web site.
Impacted products: Acrobat.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 29/09/2014.
Identifiers: CVE-2014-5315, JVN#84376800, VIGILANCE-VUL-15425.

Description of the vulnerability

The Adobe Acrobat product offers a web service.

However, the Help Page does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting in the Help Page of Adobe Acrobat, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Adobe Reader: