Adobe Acrobat < 11.0.18 / 15.006.30243 / 15.020.20039 Multiple Vulnerabilities (APSB16-33) (macOS)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The version of Adobe Acrobat installed on the remote macOS or Mac OS
X host is affected by multiple vulnerabilities.

Description :

The version of Adobe Acrobat installed on the remote macOS Mac OS X
host is prior to 11.0.18, 15.006.30243, or 15.020.20039. It is,
therefore, affected by multiple vulnerabilities :

- Multiple use-after-free errors exist that allow an
unauthenticated, remote attacker to execute arbitrary
code. (CVE-2016-1089, CVE-2016-1091, CVE-2016-6944,
CVE-2016-6945, CVE-2016-6946, CVE-2016-6949,
CVE-2016-6952, CVE-2016-6953, CVE-2016-6961,
CVE-2016-6962, CVE-2016-6963, CVE-2016-6964,
CVE-2016-6965, CVE-2016-6967, CVE-2016-6968,
CVE-2016-6969, CVE-2016-6971, CVE-2016-6979,
CVE-2016-6988, CVE-2016-6993)

- Multiple heap buffer overflow conditions exist that
allow an unauthenticated, remote attacker to execute
arbitrary code. (CVE-2016-6939, CVE-2016-6994)

- Multiple memory corruption issues exist that allow an
unauthenticated, remote attacker to execute arbitrary
code. (CVE-2016-6940, CVE-2016-6941, CVE-2016-6942,
CVE-2016-6943, CVE-2016-6947, CVE-2016-6948,
CVE-2016-6950, CVE-2016-6951, CVE-2016-6954,
CVE-2016-6955, CVE-2016-6956, CVE-2016-6959,
CVE-2016-6960, CVE-2016-6966, CVE-2016-6970,
CVE-2016-6972, CVE-2016-6973, CVE-2016-6974,
CVE-2016-6975, CVE-2016-6976, CVE-2016-6977,
CVE-2016-6978, CVE-2016-6995, CVE-2016-6996,
CVE-2016-6997, CVE-2016-6998, CVE-2016-7000,
CVE-2016-7001, CVE-2016-7002, CVE-2016-7003,
CVE-2016-7004, CVE-2016-7005, CVE-2016-7006,
CVE-2016-7007, CVE-2016-7008, CVE-2016-7009,
CVE-2016-7010, CVE-2016-7011, CVE-2016-7012,
CVE-2016-7013, CVE-2016-7014, CVE-2016-7015,
CVE-2016-7016, CVE-2016-7017, CVE-2016-7018,
CVE-2016-7019)

- A security bypass vulnerability exists that allows an
unauthenticated, remote attacker to bypass restrictions
on JavaScript API execution. (CVE-2016-6957)

- An unspecified security bypass vulnerability exists that
allows an unauthenticated, remote attacker to bypass
security restrictions. (CVE-2016-6958)

- An integer overflow condition exists that allows an
unauthenticated, remote attacker to execute arbitrary
code. (CVE-2016-6999)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

https://helpx.adobe.com/security/products/acrobat/apsb16-33.html

Solution :

Upgrade to Adobe Acrobat version 11.0.18 / 15.006.30243 / 15.020.20039
or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true