Security bulletin

Security Advisory for Adobe Reader and Acrobat

Release date: December 6, 2011

Last updated: January 10, 2012

Vulnerability identifier: APSA11-04

CVE number: CVE-2011-2462

Platform: All

Summary

A critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Linux, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.

Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing.

Adobe recommends users of Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.2). Adobe recommends users of Adobe Acrobat X (10.1.1) for Windows and Macintosh update to Adobe Acrobat X (10.1.2). For more information please refer to Security Bulletin APSB12-01. Adobe recommends users of Adobe Reader 9.4.6 and earlier 9.x versions for Linux update to Adobe Reader 9.4.7. For more information, see Security Bulletin APSB11-30.

Affected software versions

Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh

Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and Linux

Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh

Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh

*Note: Adobe Reader for Android and Adobe Flash Player are not affected by this issue.

Severity rating

Adobe categorizes this as a critical issue.

Details

A critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Linux, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh.

This U3D memory corruption vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in the wild in limited, targeted attacks against Adobe Reader 9.x on Windows. Adobe Reader X Protected Mode and Acrobat X Protected View mitigations would prevent an exploit of this kind from executing.

Adobe recommends users of Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.2). Adobe recommends users of Adobe Acrobat X (10.1.1) for Windows and Macintosh update to Adobe Acrobat X (10.1.2). For more information please refer to Security Bulletin APSB12-01. Adobe recommends users of Adobe Reader 9.4.6 and earlier 9.x versions for Linux update to Adobe Reader 9.4.7. For more information, see Security Bulletin APSB11-30.

Acknowledgments

Adobe would like to thank Lockheed Martin CIRT and members of the Defense Security Information Exchange for reporting this issue and for working with Adobe to help protect our customers.

Revisions

January 10, 2012 - Advisory updated with information on Adobe Reader and Acrobat X (10.x) for Windows and Macintosh updates, and information on Adobe Reader 9.x for Linux update.

December 16, 2011 - Advisory updated with information on Adobe Reader and Acrobat 9.4.7 for Windows updates.

December 15, 2011 - Advisory updated with information on expected release date.

December 6, 2011 - Advisory released.