Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Adobe May 2014 Patch Tuesday SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Adobe May 2014 Patch Tuesday

We are now up to 3 bulletins from Adobe.

TL;DR ? Current versions in one simple table (I hope I got that right):

Current Adobe Software Versions
  Windows OS X Linux
Adobe Reader XI 11.0.07 11.0.07 -
Adobe Reader X 10.1.10 10.1.10 -
Adobe Flash Player 13 13.0.0.214 13.0.0.214 11.2.202.359
Adobe Flash Player (Google Chrome) 13.0.0.214 13.0.0.214 13.0.0.214
Adobe Flash Player (MSFT Internet Expl) 13.0.0.214 - -
Adobe Air SDK 13.0.0.111    
Adobe Illustrator Subscription 16.2.2 16.2.2  
Adobe Illustrator Non-Subscription 16.0.5 16.0.5  



 

 

APSB14-14: covering Flash Player [1]. It fixes 6 different vulnerabilities, one of which was found earlier this year during the pwn2own contest (CVE-2014-0510).

These vulnerabilities affect Windows, Linux and OS X. Adobe assigned them "Priority 1" indicating that they may have been used in targeted exploits. This makes this a "Patch Now!" vulnerability for us.

CVE-2014-0510: pwn2own vulnerability. remote code execution with sandbox bypass.
CVE-2014-0516: Same origin bypass
CVE-2014-0517: Security feature bypass
CVE-2014-0518: Security feature bypass
CVE-2014-0519: Security feature bypass
CVE-2014-0520: Security feature bypass

APSB14-15: For Adobe Acrobat and Reader [2]

CVE-2014-0511: pwn2own vulnerability. remote code execution wiht sandbox bypass
CVE-2014-0512: pwn2own vulnerability. remote code execution wiht sandbox bypass
CVE-2014-0521: information disclosure in Javascript API
CVE-2014-0522: code execution (memory corruption)
CVE-2014-0523: code execution (memory corruption)
CVE-2014-0524: code execution (memory corruption)
CVE-2014-0525: code exectution (use after free?)
CVE-2014-0526: code execution (memory corruption)
CVE-2014-0527: code execution (use after free)
CVE-2014-0528: code execution (double free)
CVE-2014-0529: code execution (buffer overflow)

Like the Flash bulletin, this one is rated "Priority 1".

APSB14-11: Hotfix for Adobe Illustrator

CVE-2014-0513: code execution (Stack Overflow)

This bulletin is only rated "Priority 3".
 

[1] http://helpx.adobe.com/security/products/flash-player/apsb14-14.html
[2] http://helpx.adobe.com/security/products/reader/apsb14-15.html
[3] http://helpx.adobe.com/security/products/illustrator/apsb14-11.html

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

 Johannes

3735 Posts
ISC Handler
Subscribe May 13th 2014
5 years ago
Looks like there are a couple more

http://helpx.adobe.com/security/products/reader/apsb14-15.html

http://helpx.adobe.com/security/products/illustrator/apsb14-11.html
 Anonymous
Quote May 13th 2014
5 years ago

Sign Up for Free or Log In to start participating in the conversation!