PROBLEM:
Multiple vulnerabilities have been reported in Adobe Reader and Adobe Acrobat.
PLATFORM:
Adobe Acrobat 9.x
Adobe Acrobat X 10.x
Adobe Reader 9.x
Adobe Reader X 10.x
ABSTRACT:
Vulnerabilities can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, gain knowledge of potentially sensitive information, and compromise a user's system.
reference LINKS:
Vendor Advisory
Secunia Advisory SA48733
CVE-2012-0724
IMPACT ASSESSMENT:
High
Discussion:
1) An integer overflow error when handling True Type Font (TTF) can be exploited to corrupt memory. CVE-2012-0774
2) An unspecified error when handling JavaScript can be exploited to corrupt memory. CVE-2012-0775
3) The application loads executables (e.g. msiexec.exe) in an insecure manner. This can be exploited to run an arbitrary program by tricking a user into e.g. opening a file located on a remote WebDAV or SMB share and repairing the installation.
4) An unspecified error within the JavaScript API can be exploited to corrupt memory.
NOTE: This vulnerability affects the Macintosh and Linux versions only.
5) The application bundles a vulnerable version of Adobe Flash Player.
Impact:
Security Bypass
Cross Site Scripting
Exposure of sensitive information
System access
Solution:
The vendor has issued a fix. The patch is available at Adobe downloads