Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Published: 2009-10-19
Updated: 2018-10-30
Summary
Adobe Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. Per: http://www.adobe.com/support/security/bulletins/apsb09-15.html This update resolves a memory corruption issue that could potentially lead to code execution. This issue is specific to Acrobat and does not affect Adobe Reader. (CVE-2009-3460). NOTE: this issue is resolved in the Acrobat 9.2 and 8.1.7 updates. Per: http://www.adobe.com/support/security/bulletins/apsb09-15.html Solution Acrobat Acrobat Standard and Pro users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows. Acrobat Pro Extended users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows Acrobat 3D users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows. Acrobat Pro users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.
Vulnerable Configurations
| Part | Description | Count |
| Application | Adobe | 85 |
Common Weakness Enumeration (CWE)
Nessus
| NASL family | Windows |
| NASL id | ADOBE_ACROBAT_APSB09-15.NASL |
| description | The version of Adobe Acrobat installed on the remote host is earlier than 9.2 / 8.1.7 / 7.1.4. Such versions are reportedly affected by multiple vulnerabilities : - A heap overflow vulnerability. (CVE-2009-3459) - A memory corruption issue. (CVE-2009-2985) - Multiple heap overflow vulnerabilities. (CVE-2009-2986) - An invalid array index issue that could lead to code execution. (CVE-2009-2990) - Multiple input validation vulnerabilities that could lead to code execution. (CVE-2009-2993) - A buffer overflow issue. (CVE-2009-2994) - A heap overflow vulnerability. (CVE-2009-2997) - An input validation issue that could lead to code execution. (CVE-2009-2998) - An input validation issue that could lead to code execution. (CVE-2009-3458) - A memory corruption issue. (CVE-2009-3460) - An issue that could allow a malicious user to bypass file extension security controls. (CVE-2009-3461) - An integer overflow vulnerability. (CVE-2009-2989) - A memory corruption issue that leads to a denial of service. (CVE-2009-2983) - An integer overflow that leads to a denial of service. (CVE-2009-2980) - A memory corruption issue that leads to a denial of service. (CVE-2009-2996) - An image decoder issue that leads to a denial of service. (CVE-2009-2984) - An input validation issue that could lead to a bypass of Trust Manager restrictions. (CVE-2009-2981) - A certificate is used that, if compromised, could be used in a social engineering attack. (CVE-2009-2982) - A stack overflow issue that could lead to a denial of service. (CVE-2009-3431) - A XMP-XML entity expansion issue that could lead to a denial of service attack. (CVE-2009-2979) - A remote denial of service issue in the ActiveX control. (CVE-2009-2987) - An input validation issue. (CVE-2009-2988) - An input validation issue specific to the ActiveX control. (CVE-2009-2992) - A cross-site scripting issue when the browser plugin in used with Google Chrome and Opera browsers. (CVE-2007-0048, CVE-2007-0045) |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 42119 |
| published | 2009-10-14 |
| reporter | This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/42119 |
| title | Adobe Acrobat < 9.2 / 8.1.7 / 7.1.4 Multiple Vulnerabilities (APSB09-15) |
Oval
| accepted | 2013-08-12T04:09:36.594-04:00 |
| class | vulnerability |
| contributors | | name | Chandan S | | organization | SecPod Technologies |
| name | Benjamin Marandel | | organization | Marandel.net |
| name | Shane Shaffer | | organization | G2, Inc. |
| name | Shane Shaffer | | organization | G2, Inc. |
| name | Sergey Artykhov | | organization | ALTX-SOFT |
| name | Sergey Artykhov | | organization | ALTX-SOFT |
| name | Sergey Artykhov | | organization | ALTX-SOFT |
| name | Shane Shaffer | | organization | G2, Inc. |
| name | Maria Kedovskaya | | organization | ALTX-SOFT |
| name | Maria Kedovskaya | | organization | ALTX-SOFT |
| name | Maria Kedovskaya | | organization | ALTX-SOFT |
| name | Maria Kedovskaya | | organization | ALTX-SOFT |
|
| definition_extensions | | comment | Adobe Reader 7 Series is installed | | oval | oval:org.mitre.oval:def:6377 |
| comment | Adobe Reader 8 Series is installed | | oval | oval:org.mitre.oval:def:6390 |
| comment | Adobe Reader 9 Series is installed | | oval | oval:org.mitre.oval:def:6523 |
| comment | Adobe Acrobat 7 Series is installed | | oval | oval:org.mitre.oval:def:6213 |
| comment | Adobe Acrobat 8 Series is installed | | oval | oval:org.mitre.oval:def:6452 |
| comment | Adobe Acrobat 9 Series is installed | | oval | oval:org.mitre.oval:def:6013 |
|
| description | Adobe Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. |
| family | windows |
| id | oval:org.mitre.oval:def:6550 |
| status | accepted |
| submitted | 2009-10-23T03:25:55 |
| title | Adobe Reader and Acrobat allow memory corruption |
| version | 18 |
Saint
| bid | 36638 |
| description | Adobe Acrobat Reader U3D CLODMeshContinuation Code Execution |
| id | misc_acroread |
| osvdb | 58926 |
| title | adobe_reader_u3d_clodmeshdeclaration |
| type | client |