—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung. Wir geben diese Informationen
unveraendert an Sie weiter.

CVE-2011-2094 / CVE-2011-2095 / CVE-2011-2096 / CVE-2011-2097 /
CVE-2011-2098 / CVE-2011-2099 / CVE-2011-2100 / CVE-2011-2101 /
CVE-2011-2102 / CVE-2011-2103 / CVE-2011-2104 / CVE-2011-2105 /
CVE-2011-2106 –

In Adobe Reader und Acrobat sind mehrere Schwachstellen, u.a. beim
Parsen von unterschiedlichen Dateien, bei der Ausfuehrung eingebetteten
Script-Codes, beim Laden von Bibliotheken, sowie unterschiedliche
‘memory corruption’ Fehler vorhanden. Ein entfernter Angreifer kann
diese Schwachstellen im schlimmsten Fall zum Ausfuehren von beliebigen
Befehlen mit Benutzer-Rechten ausnutzen, indem er diesen dazu bringt,
ein entsprechend aufgebautes PDF zu oeffnen.

Betroffen sind die folgenden Software Pakete und Plattformen:

Adobe Reader X bis einschliesslich Version 10.0.1 fuer Windows
Adobe Reader X bis einschliesslich Version 10.0.3 fuer Macintosh
Adobe Reader 9 bis einschliesslich Version 9.4.4 fuer Windows und
Macintosh
Adobe Reader 8 bis einschliesslich Version 8.2.6 fuer Windows und
Macintosh
Adobe Acrobat X bis einschliesslich Version 10.0.3 fuer Windows und
Macinto
Adobe Acrobat bis einschliesslich Version 9.4.4 fuer Windows und
Macintosh
Adobe Acrobat bis einschliesslich Version 8.2.6 afuer Windows und
Macintosh

Alle Versionen von Microsoft Windows und MacOS X, fuer die betroffene
Versionen der genannten Programme verfuegbar sind.

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Michael Groening, DFN-CERT
– —

Michael Groening (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn

Security updates available for Adobe Reader and Acrobat

Release date: June 14, 2011
Vulnerability identifier: APSB11-16
CVE numbers: CVE-2011-2094, CVE-2011-2095, CVE-2011-2096, CVE-2011-2097, CVE-2011-2098, CVE-2011-2099, CVE-2011-2100, CVE-2011-2101, CVE-2011-2102, CVE-2011-2103, CVE-2011-2104, CVE-2011-2105, CVE-2011-2106
Platform: Windows and Macintosh

Summary

Critical vulnerabilities have been identified in Adobe Reader X (10.0.1) and earlier versions for Windows, Adobe Reader X (10.0.3) and earlier versions for Macintosh, and Adobe Acrobat X (10.0.3) and earlier versions for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.
These updates also incorporate the Adobe Flash Player updates as noted in Security_Bulletin_APSB11-12 and Security_Bulletin_APSB11-13.
Adobe recommends users of Adobe Reader X (10.0.3) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1). For users of Adobe Reader 9.4.4 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1), Adobe has made available updates, Adobe Reader 9.4.5 and Adobe Reader 8.3. Adobe recommends users of Adobe Acrobat X (10.0.3) for Windows and Macintosh update to Adobe Acrobat X (10.1). Adobe recommends users of Adobe Acrobat 9.4.4 and earlier
versions for Windows and Macintosh update to Adobe Acrobat 9.4.5, and users of Adobe Acrobat 8.2.6 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.3.
The next quarterly security updates for Adobe Reader and Acrobat are currently scheduled for September 13, 2011.

Affected software versions

* Adobe Reader X (10.0.1) and earlier 10.x versions for Windows
* Adobe Reader X (10.0.3) and earlier 10.x versions for Macintosh
* Adobe Reader 9.4.4 and earlier 9.x versions for Windows and Macintosh
* Adobe Reader 8.2.6 and earlier 8.x versions for Windows and Macintosh
* Adobe Acrobat X (10.0.3) and earlier 10.x versions for Windows and Macintosh
* Adobe Acrobat 9.4.4 and earlier 9.x versions for Windows and Macintosh
* Adobe Acrobat 8.2.6 and earlier 8.x versions for Windows and Macintosh

Solution

Adobe recommends users update their software installations by following the instructions below:
Adobe Reader
Users can utilize the product’s update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
Adobe Reader users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.
Adobe Reader users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.
Adobe Acrobat
Users can utilize the product’s update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.
Acrobat Standard and Pro users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.
Acrobat Pro Extended users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.
Acrobat 3D users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.
Acrobat Pro users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.

Severity rating

Adobe categorizes these as critical updates and recommends that users apply the latest updates for their product installations by following the instructions in the “Solution” section above.

Details

Critical vulnerabilities have been identified in Adobe Reader X (10.0.1) and earlier versions for Windows, Adobe Reader X (10.0.3) and earlier versions for Macintosh, and Adobe Acrobat X (10.0.3) and earlier versions for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Reader X (10.x) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1). For users of Adobe Reader 9.4.4 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1), Adobe has made available updates, Adobe Reader 9.4.5 and Adobe Reader 8.3. Adobe recommends users of Adobe Acrobat X (10.0.3) for Windows and Macintosh update to Adobe Acrobat X (10.1). Adobe recommends users of Adobe Acrobat 9.4.4 and earlier
versions for Windows and Macintosh update to Adobe Acrobat 9.4.5, and users of Adobe Acrobat 8.2.6 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.3.
These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2011-2094).
These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2011-2095).
These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2011-2096).
These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2011-2097).
These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2011-2098).
These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2011-2099).
These updates resolve a DLL loading vulnerability that could lead to code execution (CVE-2011-2100).
These updates resolve a cross document script execution vulnerability that could lead to code execution (CVE-2011-2101).
These updates resolve a security bypass vulnerability (CVE-2011-2102).
Note: Update is for Adobe Reader and Acrobat X (10.x) only.
These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2011-2103).
Note: Affects 8.x versions only.
These updates resolve a memory corruption denial of service (CVE-2011-2104).
These updates resolve a memory corruption (CVE-2011-2105).
These updates resolve a memory corruption vulnerability that could lead to code execution (Macintosh only) (CVE-2011-2106).
These updates also incorporate the Adobe Flash Player update as noted in Security_Bulletin_APSB11-12 and Security_Bulletin_APSB11-13.
The next quarterly security updates for Adobe Reader and Acrobat are currently scheduled for September 13, 2011.

Acknowledgements

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

* An anonymous reporter through TippingPoint’s_Zero_Day_Initiative (CVE-2011-2094)
* An anonymous reporter through TippingPoint’s_Zero_Day_Initiative (CVE-2011-2095)
* Tarjei Mandt of Norman (CVE-2011-2096, CVE-2011-2099)
* Secunia_Research (CVE-2011-2097)
* Rodrigo_Rubira_Branco (CVE-2011-2098)
* Mila_Parkour (CVE-2011-2100)
* Billy Rios from the Google_Security_Team (CVE-2011-2101)
* Christian Navarrete of CubilFelino_Security_Research_Lab (CVE-2011-2102)
* Tavis Ormandy of the Google_Security_Team (CVE-2011-2103)
* Brett Gervasoni of Sense_of_Security (CVE-2011-2104)
* Will Dormann of CERT (CVE-2011-2105)
* James_Quirk of Los Alamos, New Mexico (CVE-2011-2106)

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.16 (GNU/Linux)

iQEcBAEBAgAGBQJN+MQ9AAoJEJtyb8U7iGZB2ZEH/3lfLYexrAsGUAzvFQFSHWVk
u0XUZSZn+d17WkF7YBsxoXprSpIOa2i/nvVGnFgGI+CinzjFjVt2+4ThfZ4+fAVw
5FjQnFHl1rSYLmlGubKejDUNfHuhJt4L1ZUA+rqvvXid6tTD20Ho7wd+CX94ROSi
XQk7KWINAVTPAyQQ2WzVGRe0Zzl2CKlbx0xsd2xI6jKiQHtmb+b6EsfHmh5ZYyXB
ipgG9RH1vDO4KRiOCkkG13Ag0Zr93X/y7pt7Ral67LXj0JWAtIvBRw9VlFcCEtS5
NjeJ62OCylOWqjmuwpFuE+8d/6Pp+a4L3FIoKUAchx1aaaZ4yi3bbpW9ZymVGAY=
=7EZ0
—–END PGP SIGNATURE—–