Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.

The remote host is affected by the vulnerability described in GLSA-201309-10 (Adobe Reader: Arbitrary Code Execution)

    An unspecified vulnerability exists in Adobe Reader.
  Impact :

    An attacker could execute arbitrary code or cause a Denial of Service       condition.
  Workaround :

    There is no known workaround at this time.

Updated acroread packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Adobe Reader allows users to view and print documents in Portable Document Format (PDF).

This update fixes multiple security flaws in Adobe Reader. These flaws are detailed in the Adobe Security bulletin APSB13-15, listed in the References section. A specially crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2013-2549, CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2724, CVE-2013-2725, CVE-2013-2726, CVE-2013-2727, CVE-2013-2729, CVE-2013-2730, CVE-2013-2731, CVE-2013-2732, CVE-2013-2733, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, CVE-2013-3341)

This update also fixes an information leak flaw in Adobe Reader.
(CVE-2013-2737)

All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.5.5, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect.

The version of Adobe Reader installed on the remote Mac OS X host is prior to 11.0.3, 10.1.7, or 9.5.5. It is, therefore, affected by the following vulnerabilities :

  - Unspecified memory corruption issues exist that allow an     attacker to execute arbitrary code. (CVE-2013-2718,     CVE-2013-2719, CVE-2013-2720, CVE-2013-2721,     CVE-2013-2722, CVE-2013-2723, CVE-2013-2725,     CVE-2013-2726, CVE-2013-2731, CVE-2013-2732,     CVE-2013-2734, CVE-2013-2735, CVE-2013-2736,     CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,     CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)

  - An integer underflow condition exists that allows an     attacker to execute arbitrary code. (CVE-2013-2549)

  - A use-after-free error exists that allows an attacker to     bypass the Adobe Reader's sandbox protection.
    (CVE-2013-2550)

  - A flaw exists in the JavaScript API that allows an     attacker to obtain sensitive information.
    (CVE-2013-2737)

  - An unspecified stack overflow condition exists that     allows an attacker to execute arbitrary code.
    (CVE-2013-2724)

  - Multiple unspecified buffer overflow conditions exist     that allow an attacker to execute arbitrary code.
    (CVE-2013-2730, CVE-2013-2733)

  - Multiple unspecified integer overflow conditions exist     that allow an attacker to execute arbitrary code.
    (CVE-2013-2727, CVE-2013-2729)

  - A flaw exists due to improper handling of operating     system domain blacklists. An attacker can exploit this     to have an unspecified impact. (CVE-2013-3342)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Adobe Reader installed on the remote host is earlier than 11.0.3 / 10.1.7 / 9.5.5.  It is, therefore, affected by multiple vulnerabilities :

  - Unspecified memory corruption vulnerabilities exist that     could lead to code execution. (CVE-2013-2718,     CVE-2013-2719, CVE-2013-2720, CVE-2013-2721,     CVE-2013-2722, CVE-2013-2723, CVE-2013-2725,     CVE-2013-2726, CVE-2013-2731, CVE-2013-2732,     CVE-2013-2734, CVE-2013-2735, CVE-2013-2736,     CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,     CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)

  - An integer underflow error exists that could lead to     code execution. (CVE-2013-2549)

  - A use-after-free error exists that could lead to a     bypass of Adobe Reader's sandbox protection.
    (CVE-2013-2550)

  - An unspecified information leakage issue involving a     JavaScript API exists.  (CVE-2013-2737)

  - An unspecified stack overflow issue exists that could     lead to code execution. (CVE-2013-2724)

  - An unspecified buffer overflow error exists that could     lead to code execution. (CVE-2013-2730, CVE-2013-2733)

  - An unspecified integer overflow error exists that could     lead to code execution. (CVE-2013-2727, CVE-2013-2729)

  - A flaw exists in the way Reader handles domains that     have been blacklisted in the operating system.
    (CVE-2013-3342)

The version of Adobe Acrobat installed on the remote host is earlier than 11.0.3 / 10.1.7 / 9.5.5.  It is, therefore, affected by multiple vulnerabilities :

  - Unspecified memory corruption vulnerabilities exist that     could lead to code execution. (CVE-2013-2718,     CVE-2013-2719, CVE-2013-2720, CVE-2013-2721,     CVE-2013-2722, CVE-2013-2723, CVE-2013-2725,     CVE-2013-2726, CVE-2013-2731, CVE-2013-2732,     CVE-2013-2734, CVE-2013-2735, CVE-2013-2736,     CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,     CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)

  - An integer underflow error exists that could lead to     code execution. (CVE-2013-2549)

  - A use-after-free error exists that could lead to a     bypass of Adobe Reader's sandbox protection.
    (CVE-2013-2550)

  - An unspecified information leakage issue involving a     JavaScript API exists.  (CVE-2013-2737)

  - An unspecified stack overflow issue exists that could     lead to code execution. (CVE-2013-2724)

  - An unspecified buffer overflow error exists that could     lead to code execution. (CVE-2013-2730, CVE-2013-2733)

  - An unspecified integer overflow error exists that could     lead to code execution. (CVE-2013-2727, CVE-2013-2729)

  - A flaw exists in the way Reader handles domains that     have been blacklisted in the operating system.
    (CVE-2013-3342)

ID	Name	Product	Family	Severity
69901	GLSA-201309-10 : Adobe Reader: Arbitrary Code Execution	Nessus	Gentoo Local Security Checks	critical
66458	RHEL 5 / 6 : acroread (RHSA-2013:0826)	Nessus	Red Hat Local Security Checks	critical
66411	Adobe Reader < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15) (Mac OS X)	Nessus	MacOS X Local Security Checks	critical
66410	Adobe Reader < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15)	Nessus	Windows	critical
66409	Adobe Acrobat < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15)	Nessus	Windows	critical

Detections

Analytics

CVE-2013-3346

high

Tenable Plugins

critical

critical

critical

critical

critical