The vulnerabilities are considered critical and they’ve been assigned a priority rating of 1, which means that they’re either being targeted, or they have a high risk of being targeted. Adobe recommends system administrators to update installations as soon as possible, preferably within 72 hours.
The flaws affecting Reader and Acrobat have been assigned the following CVE identifiers: CVE-2014-0511, CVE-2014-0512, CVE-2014-0521, CVE-2014-0522, CVE-2014-0523, CVE-2014-0524, CVE-2014-0525, CVE-2014-0526, CVE-2014-0527, CVE-2014-0528 and CVE-2014-0529.
CVE-2014-0511 and CVE-2014-0512 have been responsibly disclosed by French security research company VUPEN at the 2014 Pwn2Own competition that took place earlier this year alongside the CanSecWest conference in Vancouver. The vulnerabilities can be exploited to bypass a PDF sandbox protection mechanism and remotely execute arbitrary code.
The other Reader and Acrobat security holes fixed by Adobe with these latest updates are:
- – CVE-2014-0522, CVE-2014-0523, CVE-2014-0524, CVE-2014-0526: memory corruption vulnerabilities that could lead to code execution, the first three being reported by Wei Lei and Wu Hongjun of the Nanyang Technological University, and the last one by Pedro Ribeiro of Agile Information Security and Honglin Long;
- – CVE-2014-0525: possible code execution vulnerability caused by the way Reader handles certain API calls to unmapped memory, reported by Yuki Chen of Trend Micro;
- – CVE-2014-0527: use-after-free vulnerability that could lead to code execution, reported by chkr_d591 through HP’s Zero Day Initiative;
- – CVE-2014-0528: double-free issue that could potentially lead to code execution, reported by Sune Vuorela of Ange Optimization;
- – CVE-2014-0529: buffer overflow vulnerability that could lead to code execution, reported by Venustech Active-Defense Lab;
As far as Adobe Flash is concerned, the six vulnerabilities that have been fixed have the following CVE identifiers: CVE-2014-0510, CVE-2014-0516, CVE-2014-0517, CVE-2014-0518, CVE-2014-0519, CVE-2014-0520.
CVE-2014-0510 is the one reported by Zeguang Zhao of team509 and Liang Chen of Keen Team at Pwn2Own 2014. It refers to a use-after-free vulnerability that can be exploited for arbitrary code execution.
CVE-2014-0516 is a security hole reported by Masato Kinugawa that could be used to bypass the same origin policy. CVE-2014-0517, CVE-2014-0518, CVE-2014-0519 and CVE-2014-0520 are all vulnerabilities reported by James Forshaw of Contextis. The bugs can be leveraged to bypass security mechanisms.
It’s worth noting that the Flash Player vulnerability disclosed by VUPEN at Pwn2Own was addressed by Adobe with the security updates released on April 8, 2014.