Adobe Acrobat < 9.2 / 8.1.7 / 7.1.4 Multiple Vulnerabilities (APSB09-15)

This script is Copyright (C) 2009-2016 Tenable Network Security, Inc.


Synopsis :

The version of Adobe Acrobat on the remote Windows host is affected by
multiple vulnerabilities.

Description :

The version of Adobe Acrobat installed on the remote host is earlier
than 9.2 / 8.1.7 / 7.1.4. Such versions are reportedly affected by
multiple vulnerabilities :

- A heap overflow vulnerability. (CVE-2009-3459)

- A memory corruption issue. (CVE-2009-2985)

- Multiple heap overflow vulnerabilities. (CVE-2009-2986)

- An invalid array index issue that could lead to code
execution. (CVE-2009-2990)

- Multiple input validation vulnerabilities that could
lead to code execution. (CVE-2009-2993)

- A buffer overflow issue. (CVE-2009-2994)

- A heap overflow vulnerability. (CVE-2009-2997)

- An input validation issue that could lead to code
execution. (CVE-2009-2998)

- An input validation issue that could lead to code
execution. (CVE-2009-3458)

- A memory corruption issue. (CVE-2009-3460)

- An issue that could allow a malicious user to bypass
file extension security controls. (CVE-2009-3461)

- An integer overflow vulnerability. (CVE-2009-2989)

- A memory corruption issue that leads to a denial of
service. (CVE-2009-2983)

- An integer overflow that leads to a denial of service.
(CVE-2009-2980)

- A memory corruption issue that leads to a denial of
service. (CVE-2009-2996)

- An image decoder issue that leads to a denial of service.
(CVE-2009-2984)

- An input validation issue that could lead to a bypass
of Trust Manager restrictions. (CVE-2009-2981)

- A certificate is used that, if compromised, could be used
in a social engineering attack. (CVE-2009-2982)

- A stack overflow issue that could lead to a denial of
service. (CVE-2009-3431)

- A XMP-XML entity expansion issue that could lead to a
denial of service attack. (CVE-2009-2979)

- A remote denial of service issue in the ActiveX control.
(CVE-2009-2987)

- An input validation issue. (CVE-2009-2988)

- An input validation issue specific to the ActiveX
control. (CVE-2009-2992)

- A cross-site scripting issue when the browser plugin in
used with Google Chrome and Opera browsers.
(CVE-2007-0048, CVE-2007-0045)

See also :

http://www.adobe.com/support/security/bulletins/apsb09-15.html

Solution :

Upgrade to Adobe Acrobat 9.2 / 8.1.7 / 7.1.4 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true