Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Adobe May 2014 Patch Tuesday SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Adobe May 2014 Patch Tuesday

We are now up to 3 bulletins from Adobe.

TL;DR ? Current versions in one simple table (I hope I got that right):

Current Adobe Software Versions
  Windows OS X Linux
Adobe Reader XI 11.0.07 11.0.07 -
Adobe Reader X 10.1.10 10.1.10 -
Adobe Flash Player 13 13.0.0.214 13.0.0.214 11.2.202.359
Adobe Flash Player (Google Chrome) 13.0.0.214 13.0.0.214 13.0.0.214
Adobe Flash Player (MSFT Internet Expl) 13.0.0.214 - -
Adobe Air SDK 13.0.0.111    
Adobe Illustrator Subscription 16.2.2 16.2.2  
Adobe Illustrator Non-Subscription 16.0.5 16.0.5  



 

 

APSB14-14: covering Flash Player [1]. It fixes 6 different vulnerabilities, one of which was found earlier this year during the pwn2own contest (CVE-2014-0510).

These vulnerabilities affect Windows, Linux and OS X. Adobe assigned them "Priority 1" indicating that they may have been used in targeted exploits. This makes this a "Patch Now!" vulnerability for us.

CVE-2014-0510: pwn2own vulnerability. remote code execution with sandbox bypass.
CVE-2014-0516: Same origin bypass
CVE-2014-0517: Security feature bypass
CVE-2014-0518: Security feature bypass
CVE-2014-0519: Security feature bypass
CVE-2014-0520: Security feature bypass

APSB14-15: For Adobe Acrobat and Reader [2]

CVE-2014-0511: pwn2own vulnerability. remote code execution wiht sandbox bypass
CVE-2014-0512: pwn2own vulnerability. remote code execution wiht sandbox bypass
CVE-2014-0521: information disclosure in Javascript API
CVE-2014-0522: code execution (memory corruption)
CVE-2014-0523: code execution (memory corruption)
CVE-2014-0524: code execution (memory corruption)
CVE-2014-0525: code exectution (use after free?)
CVE-2014-0526: code execution (memory corruption)
CVE-2014-0527: code execution (use after free)
CVE-2014-0528: code execution (double free)
CVE-2014-0529: code execution (buffer overflow)

Like the Flash bulletin, this one is rated "Priority 1".

APSB14-11: Hotfix for Adobe Illustrator

CVE-2014-0513: code execution (Stack Overflow)

This bulletin is only rated "Priority 3".
 

[1] http://helpx.adobe.com/security/products/flash-player/apsb14-14.html
[2] http://helpx.adobe.com/security/products/reader/apsb14-15.html
[3] http://helpx.adobe.com/security/products/illustrator/apsb14-11.html

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SANS Las Vegas Spring 2020

 Johannes

3834 Posts
ISC Handler
Subscribe May 13th 2014
6 years ago
Looks like there are a couple more

http://helpx.adobe.com/security/products/reader/apsb14-15.html

http://helpx.adobe.com/security/products/illustrator/apsb14-11.html
 Anonymous
Quote May 13th 2014
6 years ago

Sign Up for Free or Log In to start participating in the conversation!