JPCERT-AT-2017-0031
JPCERT/CC
2017-08-09(Initial)
2017-08-30(Update)
<<< JPCERT/CC Alert 2017-08-09 >>>
Alert Regarding Vulnerabilities in Adobe Reader and Acrobat (APSB17-24)
https://www.jpcert.or.jp/english/at/2017/at170031.html
I. Overview
Multiple vulnerabilities exist in Adobe Acrobat Reader, a PDF file
viewing software, and Adobe Acrobat, a PDF file creation and conversion
software. As a result, a remote attacker may terminate Adobe Reader
and Acrobat, or execute arbitrary code by convincing a user to open
contents leveraging the vulnerabilities. For more information, please
refer to the Adobe website.
Security Update Available for Adobe Acrobat and Reader | APSB17-24
https://helpx.adobe.com/security/products/acrobat/apsb17-24.html
** Update: August 30, 2017 Update ************************************
According to Adobe, this update caused regression with XFA forms
functionality which affected some users. Due to a functional regression
in those releases, optional hotfixes were provided to affected customers,
and this restores the vulnerability of CVE-2017-11223 (Critical) which
was fixed in this update. On August 29, updates that fix regression
with XFA forms functionality and vulnerability of CVE-2017-11223 are
released. If you have applied any of the hotfixes, please apply the
security update programs as soon as possible.
For more details, please refer to the following:
Update to Security Bulletin (APSB17-24)
https://blogs.adobe.com/psirt/?p=1484
In addition, Adobe is not aware of exploits in the wild for CVE-2017-11223,
or any of the other issues addressed in the August 8 releases.
**********************************************************************
II. Affected Products
Affected products and versions are as follows:
- Adobe Acrobat Reader DC Continuous (2017.009.20058) and earlier
- Adobe Acrobat Reader DC Classic (2015.006.30306) and earlier
- Adobe Acrobat DC Continuous (2017.009.20058) and earlier
- Adobe Acrobat DC Classic (2015.006.30306) and earlier
- Adobe Acrobat Reader 2017 (2017.008.30051) and earlier
- Adobe Acrobat 2017 (2017.008.30051) and earlier
- Adobe Acrobat XI (11.0.20) and earlier
- Adobe Reader XI (11.0.20) and earlier
III. Solution
Please update Adobe Reader and Acrobat to the latest version listed
below.
** Update: August 30, 2017 Update ************************************
- Adobe Acrobat Reader DC Continuous (2017.012.20098)
- Adobe Acrobat Reader DC Classic (2015.006.30355)
- Adobe Acrobat DC Continuous (2017.012.20098)
- Adobe Acrobat DC Classic (2015.006.30355)
- Adobe Acrobat Reader 2017 (2017.011.30066)
- Adobe Acrobat 2017 (2017.011.30066)
- Adobe Acrobat XI (11.0.21)
- Adobe Reader XI (11.0.21)
In addition, Adobe Acrobat XI (11.0.22) and Adobe Reader XI (11.0.22),
which were provided in response to the regression, fix the vulnerabilities
released in ASPB17-24 including CVE-2017-11223.
**********************************************************************
Acrobat will be updated by starting the product, selecting the menu
"Help (H)", and then clicking "Check for Updates (U)". If an update
from the menu is not available, please download the latest Adobe
Reader and Acrobat from the following URL. For more information,
please refer to the Adobe website.
Adobe.com - New downloads
https://www.adobe.com/support/downloads/new.jsp
IV. References
Adobe Systems Incorporated
Security Update Available for Adobe Acrobat and Reader | APSB17-24
https://helpx.adobe.com/security/products/acrobat/apsb17-24.html
Adobe Systems Incorporated
Security Bulletins Posted
https://blogs.adobe.com/psirt/?p=1480
** Update: August 30, 2017 Update ************************************
Adobe Systems Incorporated
Update to Security Bulletin (APSB17-24)
https://blogs.adobe.com/psirt/?p=1484
**********************************************************************
If you have any information regarding this alert, please contact
JPCERT/CC.
________
Revision History
2017-08-09 First edition
2017-08-30 Updated "I. Overview", "III. Solution" and "IV. References"
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top