----------------------------------------------------------------------


Get a tax break on purchases of Secunia Solutions!

If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/


----------------------------------------------------------------------

TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA43207

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43207/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207

RELEASE DATE:
2011-02-09

DISCUSS ADVISORY:
http://secunia.com/advisories/43207/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA:
 * Last Update
 * Popularity
 * Comments
 * Criticality Level
 * Impact
 * Where
 * Solution Status
 * Operating System / Software
 * CVE Reference(s)

http://secunia.com/advisories/43207/

ONLY AVAILABLE IN CUSTOMER AREA:
 * Authentication Level
 * Report Reliability
 * Secunia PoC
 * Secunia Analysis
 * Systems Affected
 * Approve Distribution
 * Remediation Status
 * Secunia CVSS Score
 * CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=43207

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
 * AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious, local users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks and compromise a user's system.

1) An unspecified error related to library loading can be exploited
to execute arbitrary code.

2) An unspecified error can be exploited to corrupt memory.

3) An unspecified error related to file permissions in Windows-based
versions can be exploited to gain escalated privileges.

4) An unspecified error may allow code execution.

5) An unspecified error when parsing images can be exploited to
corrupt memory.

6) An error in AcroRd32.dll when parsing certain images can be
exploited to corrupt memory.

7) An unspecified error in the Macintosh-based versions may allow
code execution.

8) An unspecified error related to library loading can be exploited
to execute arbitrary code.

9) An unspecified error may allow code execution.

10) A input validation error may allow code execution.

11) An input validation error can be exploited to conduct cross-site
scripting attacks.

12) An unspecified error related to library loading can be exploited
to execute arbitrary code.

13) An unspecified error can be exploited to corrupt memory. 

14) A boundary error when decoding U3D image data in an IFF file can
be exploited to cause a buffer overflow.

15) A boundary error when decoding U3D image data in a RGBA file can
be exploited to cause a buffer overflow.

16) A boundary error when decoding U3D image data in a BMP file can
be exploited to cause a buffer overflow.

17) A boundary error when decoding U3D image data in a PSD file can
be exploited to cause a buffer overflow.

18) An input validation error when parsing fonts may allow code
execution.

19) A boundary error when decoding U3D image data in a FLI file can
be exploited to cause a buffer overflow.

20) An  error in 2d.dll when parsing height and width values of RLE_8
compressed BMP files can be exploited to cause a heap-based buffer
overflow.

21) An integer overflow in ACE.dll when parsing certain ICC data can
be exploited to cause a buffer overflow.

22) A boundary error in rt3d.dll when parsing bits per pixel and
number of colors if 4/8-bit RLE compressed BMP files can be exploited
to cause a heap-based buffer overflow.

23) An error in the U3D implementation when handling the Parent Node
count can be exploited to cause a buffer overflow.

24) A boundary error when processing JPEG files embedded in a PDF
file can be exploited to corrupt heap memory.

25) An unspecified error when parsing images may allow code
execution.

26) An input validation error can be exploited to conduct cross-site
scripting attacks.

27) An unspecified error in the Macintosh-based versions may allow
code execution.

28) A boundary error in rt3d.dll when parsing certain files can be
exploited to cause a stack-based buffer overflow.

29) An integer overflow in the U3D implementation when parsing a ILBM
texture file can be exploited to cause a buffer overflow.

30) Some vulnerabilities are caused due to vulnerabilities in the
bundled version of Adobe Flash Player.

For more information:
SA43267

The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1
and prior, and 10.0 and prior.

SOLUTION:
Update to version 8.2.6, 9.4.2, or 10.0.1.

Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

PROVIDED AND/OR DISCOVERED BY:
2) Bing Liu, Fortinet's FortiGuard Labs.
6) Abdullah Ada via ZDI.
8) Haifei Li, Fortinet's FortiGuard Labs.
14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI.
21) Sebastian Apelt via ZDI.
23) el via ZDI.
14) Sean Larsson, iDefense Labs.
28) An anonymous person via ZDI.

The vendor also credits:
1) Mitja Kolsek, ACROS Security.
3) Matthew Pun.
4, 5, 18) Tavis Ormandy, Google Security Team.
7) James Quirk.
9) Brett Gervasoni, Sense of Security.
10) Joe Schatz.
11, 26) Billy Rios, Google Security Team.
12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar.
13) CESG.
25) Will Dormann, CERT.
27) Marc Schoenefeld, Red Hat Security Response Team.

ORIGINAL ADVISORY:
Adobe (APSB11-03)
http://www.adobe.com/support/security/bulletins/apsb11-03.html
http://www.adobe.com/support/security/bulletins/apsb11-02.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-065/
http://www.zerodayinitiative.com/advisories/ZDI-11-066/
http://www.zerodayinitiative.com/advisories/ZDI-11-067/
http://www.zerodayinitiative.com/advisories/ZDI-11-068/
http://www.zerodayinitiative.com/advisories/ZDI-11-069/
http://www.zerodayinitiative.com/advisories/ZDI-11-070/
http://www.zerodayinitiative.com/advisories/ZDI-11-071/
http://www.zerodayinitiative.com/advisories/ZDI-11-072/
http://www.zerodayinitiative.com/advisories/ZDI-11-073/
http://www.zerodayinitiative.com/advisories/ZDI-11-074/
http://www.zerodayinitiative.com/advisories/ZDI-11-075/
http://www.zerodayinitiative.com/advisories/ZDI-11-077/

FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-06.html

iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891

OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------