Adobe Reader < 11.0.16 / 15.006.30172 / 15.016.20039 Multiple Vulnerabilities (APSB16-14) (Mac OS X)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The version of Adobe Reader installed on the remote Mac OS X host is
affected by multiple vulnerabilities.

Description :

The version of Adobe Reader installed on the remote Mac OS X host is
prior to 11.0.16, 15.006.30172, or 15.016.20039. It is, therefore,
affected by multiple vulnerabilities :

- Multiple use-after-free errors exist that allow an
attacker to execute arbitrary code. (CVE-2016-1045,
CVE-2016-1046, CVE-2016-1047, CVE-2016-1048,
CVE-2016-1049, CVE-2016-1050, CVE-2016-1051,
CVE-2016-1052, CVE-2016-1053, CVE-2016-1054,
CVE-2016-1055, CVE-2016-1056, CVE-2016-1057,
CVE-2016-1058, CVE-2016-1059, CVE-2016-1060,
CVE-2016-1061, CVE-2016-1065, CVE-2016-1066,
CVE-2016-1067, CVE-2016-1068, CVE-2016-1069,
CVE-2016-1070, CVE-2016-1075, CVE-2016-1094,
CVE-2016-1121, CVE-2016-1122, CVE-2016-4102,
CVE-2016-4107)

- Multiple heap buffer overflow conditions exist that
allow an attacker to execute arbitrary code.
(CVE-2016-4091, CVE-2016-4092)

- Multiple memory corruption issues exist that allow an
attacker to execute arbitrary code. (CVE-2016-1037,
CVE-2016-1063, CVE-2016-1064, CVE-2016-1071,
CVE-2016-1072, CVE-2016-1073, CVE-2016-1074,
CVE-2016-1076, CVE-2016-1077, CVE-2016-1078,
CVE-2016-1080, CVE-2016-1081, CVE-2016-1082,
CVE-2016-1083, CVE-2016-1084, CVE-2016-1085,
CVE-2016-1086, CVE-2016-1088, CVE-2016-1093,
CVE-2016-1095, CVE-2016-1116, CVE-2016-1118,
CVE-2016-1119, CVE-2016-1120, CVE-2016-1123,
CVE-2016-1124, CVE-2016-1125, CVE-2016-1126,
CVE-2016-1127, CVE-2016-1128, CVE-2016-1129,
CVE-2016-1130, CVE-2016-4088, CVE-2016-4089,
CVE-2016-4090, CVE-2016-4093, CVE-2016-4094,
CVE-2016-4096, CVE-2016-4097, CVE-2016-4098,
CVE-2016-4099, CVE-2016-4100, CVE-2016-4101,
CVE-2016-4103, CVE-2016-4104, CVE-2016-4105,
CVE-2016-4119)

- An integer overflow vulnerability exists that allows an
attacker to execute arbitrary code. (CVE-2016-1043)

- Multiple memory leak issues exist that allow an attacker
to have an unspecified impact. (CVE-2016-1079,
CVE-2016-1092)

- An unspecified flaw exists that allows an attacker to
disclose sensitive information. (CVE-2016-1112)

- Multiple vulnerabilities exist that allow an attacker to
bypass restrictions on JavaScript API execution.
(CVE-2016-1038, CVE-2016-1039, CVE-2016-1040,
CVE-2016-1041, CVE-2016-1042, CVE-2016-1044,
CVE-2016-1062, CVE-2016-1117)

- Multiple flaws exist when loading dynamic-link
libraries. An attacker can exploit this, via a specially
crafted .dll file, to execute arbitrary code.
(CVE-2016-1087, CVE-2016-1090, CVE-2016-4106)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

https://helpx.adobe.com/security/products/acrobat/apsb16-14.html

Solution :

Upgrade to Adobe Reader version 11.0.16 / 15.006.30172 / 15.016.20039
or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true