The Mac Security Blog

Security News

Adobe Thwarts Critical Vulnerabilities with Multiple Software Updates

Posted on by

adobe-patched-headerAdobe Systems has released a series of new security updates to patch critical vulnerabilities in their products. The company released Adobe Flash Player 13.0.0.214, in addition to new versions of Adobe Reader and Acrobat, and a security hotfix for Adobe Illustrator (CS6).

The Adobe Flash update thwarts 6 vulnerabilities in the Mac and Windows products. “These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system,” described Adobe’s security bulletin (APSB14-14).

Affected Flash Player versions include: Adobe Flash Player 13.0.0.206 and earlier for Mac and Windows, Adobe Flash Player 11.2.202.356 and earlier versions for Linux, and Adobe AIR 13.0.0.83 SDK and earlier versions.

The vulnerabilities addressed in the Flash Player update are described as follows:

  • These updates resolve a use-after-free vulnerability that could result in arbitrary code execution (CVE-2014-0510): “Heap-based buffer overflow in Adobe Flash Player 12.0.0.77 allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism via unspecified vectors, as demonstrated by Zeguang Zhao and Liang Chen during a Pwn2Own competition at CanSecWest 2014.”
  • These updates resolve a vulnerability that could be used to bypass the same origin policy (CVE-2014-0516).
  • These updates resolve security bypass vulnerabilities (CVE-2014-0517, CVE-2014-0518, CVE-2014-0519, CVE-2014-0520).

Adobe’s Acrobat and Reader updates address 11 vulnerabilities in the Mac and Windows products. “These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system,” described Adobe’s security bulletin (APSB14-15).

Affected Adobe Reader and Acrobat versions include: Adobe Reader XI (11.0.06) and earlier 11.x versions for Mac and Windows, Adobe Reader X (10.1.9) and earlier 10.x versions for Mac and Windows, Adobe Acrobat XI (11.0.06) and earlier 11.x versions for Mac and Windows, and Adobe Acrobat X (10.1.9) and earlier 10.x versions for Mac and Windows.

Following are descriptions of the vulnerabilities addressed in the Reader and Acrobat updates:

  • These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2014-0511): “Heap-based buffer overflow in Adobe Reader 11.0.06 allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2014.”
  • These updates resolve an input validation error that could lead to a security bypass (CVE-2014-0512): “Adobe Reader 11.0.06 allows attackers to bypass a PDF sandbox protection mechanism via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2014.”
  • These updates resolve a vulnerability in the implementation of Javascript APIs that could lead to information disclosure (CVE-2014-0521).
  • These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-0522, CVE-2014-0523, CVE-2014-0524, CVE-2014-0526).
  • These updates resolve a vulnerability in the way Reader handles certain API calls to unmapped memory that could lead to code execution (CVE-2014-0525).
  • These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2014-0527).
  • These updates resolve a double-free vulnerability that could lead to code execution (CVE-2014-0528).
  • These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2014-0529).

The Illustrator update addresses 1 vulnerability in the Mac and Windows products. “This hotfix addresses a vulnerability that could be exploited to gain remote code execution on the affected system,” described Adobe’s security bulletin (APSB14-11).

Affected Illustrator versions include: Adobe Illustrator for CS6 version 16.2 and earlier for Windows (subscription), Adobe Illustrator for CS6 version 16.2.1 and earlier for Mac (subscription), Adobe Illustrator for CS6 version 16.0.3 and earlier for Windows (non-subscription), and Adobe Illustrator for CS6 version 16.0.4 and earlier for Mac (non-subscription).

The vulnerability resolved in Adobe’s Illustrator update is described as follows:

These updates resolve a stack overflow vulnerability that could result in arbitrary code execution (CVE-2014-0513).

Users of Adobe Flash Player 13.0.0.206 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 13.0.0.214 immediately.

Adobe Flash Player 11.2.202.356 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.359. Adobe Flash Player 13.0.0.206 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 13.0.0.214 for Windows, Macintosh and Linux. Users of Adobe AIR 13.0.0.83 SDK and earlier versions should update to the Adobe AIR 13.0.0.111 SDK.

Users of Adobe Reader and Acrobat for Mac and Windows can get updates by utilizing the products update mechanism. (Update checks can be manually activated by choosing Help > Check for Updates.) Lastly, users of Adobe Illustrator can follow Adobe’s instructions for updating the software in this PDF.