Accessibility

Security bulletin

Security updates available for Adobe Reader and Acrobat

Release date: October 5, 2010

Vulnerability identifier: APSB10-21

CVE Numbers: CVE-2010-2883, CVE-2010-2884, CVE-2010-2887, CVE-2010-2888,
CVE-2010-2889, CVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3621,
CVE-2010-3622, CVE-2010-3623, CVE-2010-3624, CVE-2010-3625, CVE-2010-3626,
CVE-2010-3627, CVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3631,
CVE-2010-3632, CVE-2010-3656, CVE-2010-3657, CVE-2010-3658

Platform: All Platforms

Summary

Critical vulnerabilities have been identified in Adobe Reader 9.3.4 (and earlier versions) for
Windows, Macintosh and UNIX, Adobe Acrobat 9.3.4 (and earlier versions) for Windows and
Macintosh, and Adobe Reader 8.2.4 (and earlier versions) and Adobe Acrobat 8.2.4 (and earlier
versions) for Windows and Macintosh. These vulnerabilities, including CVE-2010-2883,
referenced in Security Advisory APSA10-02, and CVE-2010-2884 referenced in the Adobe Flash
Player Security Bulletin APSB10-22, could cause the application to crash and could potentially
allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh
and UNIX update to Adobe Reader 9.4. (For Adobe Reader users on Windows and Macintosh,
who cannot update to Adobe Reader 9.4, Adobe has provided the Adobe Reader 8.2.5 update.)
Adobe recommends users of Adobe Acrobat 9.3.4 and earlier versions for Windows and
Macintosh update to Adobe Acrobat 9.4. Adobe recommends users of Adobe Acrobat 8.2.4 and
earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.5.

Note that the October 5, 2010 updates represent an accelerated release of the next quarterly
security update originally scheduled for October 12, 2010. With this accelerated schedule, Adobe
will not release additional updates for Adobe Reader and Acrobat on October 12, 2010. The next
quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.

Affected software versions

  • Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
  • Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh

SOLUTION

Adobe recommends users update their software installations by following the instructions below:

Adobe Reader
Users on Windows and Macintosh can utilize the product's update mechanism. The default
configuration is set to run automatic update checks on a regular schedule and can be manually
activated by choosing Help > Check for Updates.

Adobe Reader users on Windows can also find the appropriate update here:
http://get.adobe.com/reader/.

Adobe Reader users on Macintosh can also find the appropriate update here:
http://get.adobe.com/reader/.

Adobe Reader users on UNIX can find the appropriate update here:*
ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.4.0.
*Note: Adobe Reader 9.4 for UNIX will be available from the Adobe Reader Download Center at
http://get.adobe.com/reader/ by October 21, 2010.

Adobe Acrobat
Users can utilize the product's update mechanism. The default configuration is set to run
automatic update checks on a regular schedule and can be manually activated by choosing Help >
Check for Updates.

Acrobat Standard and Pro users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.

Acrobat 3D users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.

Severity rating

Adobe categorizes these as critical updates and recommends that users apply the latest updates
for their product installations by following the instructions in the "Solution" section above.

DETAILS

Critical vulnerabilities have been identified in Adobe Reader 9.3.4 (and earlier versions) for
Windows, Macintosh and UNIX, Adobe Acrobat 9.3.4 (and earlier versions) for Windows and
Macintosh, and Adobe Reader 8.2.4 (and earlier versions) and Adobe Acrobat 8.2.4 (and earlier
versions) for Windows and Macintosh. These vulnerabilities, including CVE-2010-2883,
referenced in Security Advisory APSA10-02, and CVE-2010-2884 referenced in the Adobe Flash
Player Security Bulletin APSB10-22, could cause the application to crash and could potentially
allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh
and UNIX update to Adobe Reader 9.4. (For Adobe Reader users on Windows and Macintosh,
who cannot update to Adobe Reader 9.4, Adobe has provided the Adobe Reader 8.2.5 update.)
Adobe recommends users of Adobe Acrobat 9.3.4 and earlier versions for Windows and
Macintosh update to Adobe Acrobat 9.4. Adobe recommends users of Adobe Acrobat 8.2.4 and
earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.5.

This update resolves a font-parsing input validation vulnerability that could lead to code
execution (CVE-2010-2883).
Note: There are reports that this issue is being actively exploited in the wild.

This update resolves a memory corruption vulnerability in the authplay.dll component that could
lead to code execution (CVE-2010-2884).

This update resolves multiple potential Linux-only privilege escalation issues (CVE-2010-2887).

This update resolves multiple input validation errors that could lead to code execution (Windows,
ActiveX only) (CVE-2010-2888).

This update resolves a font-parsing input validation vulnerability that could lead to code
execution (CVE-2010-2889).

This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-2890).

This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-3619).

This update resolves an image-parsing input validation vulnerability that could lead to code
execution (CVE-2010-3620).

This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-3621).

This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-3622).

This update resolves a memory corruption vulnerability that could lead to code execution
(Macintosh platform only) (CVE-2010-3623).

This update resolves an image-parsing input validation vulnerability that could lead to code
execution (Macintosh platform only) (CVE-2010-3624).

This update resolves a prefix protocol handler vulnerability that could lead to code execution
(CVE-2010-3625).

This update resolves a font-parsing input validation vulnerability that could lead to code
execution (CVE-2010-3626).

This update resolves an input validation vulnerability that could lead to code execution
(CVE-2010-3627).

This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-3628).

This update resolves an image-parsing input validation vulnerability that could lead to code
execution (CVE-2010-3629).

This update resolves a denial of service vulnerability; arbitrary code execution has not been
demonstrated, but may be possible (CVE-2010-3630).

This update resolves an array-indexing vulnerability that could lead to code execution
(Macintosh platform only) (CVE-2010-3631).

This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-3632).

This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-3658)

This update resolves a denial of service issue (CVE-2010-3656).

This update resolves a denial of service issue (CVE-2010-3657).

ACKNOWLEDGMENTS

Adobe would like to thank the following individuals and organizations for reporting the relevant
issues and for working with Adobe to help protect our customers: