=====================================================================

                           CERT-Renater

               Note d'Information No. 2014/VULN165
_____________________________________________________________________

DATE                : 14/08/2014

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Adobe Reader, Adobe Acrobat
                         versions prior to 11.0.08, 10.1.11.

======================================================================
http://helpx.adobe.com/security/products/reader/apsb14-19.html
______________________________________________________________________

Adobe Security Bulletin

Security Updates available for Adobe Reader and Acrobat


Release date: August 12, 2014

Vulnerability identifier: APSB14-19

Priority: See table below

CVE numbers: CVE-2014-0546

Platform: Windows


Summary

Adobe has released security updates for Adobe Reader and Acrobat XI
(11.0.07) and earlier versions for Windows. These updates address a
vulnerability that could allow an attacker to circumvent sandbox
protection on the Windows platform. Adobe Reader and Acrobat for
Apple's OS X are not affected.

Adobe is aware of evidence that indicates an exploit in the wild is
being used in limited, isolated attacks targeting Adobe Reader users on
Windows. Adobe recommends users update their product installations to
the latest versions:

Users of Adobe Reader XI (11.0.07) and earlier versions for Windows
should update to version 11.0.08.

For users of Adobe Reader X (10.1.10) and earlier versions for Windows,
who cannot update to version 11.0.08, Adobe has made available version
10.1.11.

Users of Adobe Acrobat XI (11.0.07) and earlier versions for Windows
should update to version 11.0.08.

For users of Adobe Acrobat X (10.1.10) and earlier versions for Windows,
who cannot update to version 11.0.08, Adobe has made available version
10.1.11.


Affected software versions

Adobe Reader XI (11.0.07) and earlier 11.x versions for Windows

Adobe Reader X (10.1.10) and earlier 10.x versions for Windows

Adobe Acrobat XI (11.0.07) and earlier 11.x versions for Windows

Adobe Acrobat X (10.1.10) and earlier 10.x versions for Windows


Solution

Adobe recommends users update their software installations by following
the instructions below:


Adobe Reader

Users on Windows can utilize the product's update mechanism. The default
configuration is set to run automatic update checks on a regular
schedule.

Update checks can be manually activated by choosing
Help > Check for Updates.

Adobe Reader users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows


Adobe Acrobat

Users can utilize the product's update mechanism. The default
configuration is set to run automatic update checks on a regular
schedule. Update checks can be manually activated by choosing
Help > Check for Updates.

Acrobat Standard and Pro users on Windows can also find the appropriate
update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Acrobat Pro Extended users on Windows can also find the appropriate
update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows


Priority and severity ratings

Adobe categorizes these updates with the following priority ratings and
recommends users update their installations to the newest versions:

Product 		Updated Version	Platform 	Priority rating

Adobe Reader XI 	(11.0.08) 	Windows 	1
Adobe Reader X 		(10.1.11) 	Windows 	1
Adobe Acrobat XI 	(11.0.08)	Windows 	1
Adobe Acrobat X 	(10.1.11) 	Windows 	1

These updates address critical vulnerabilities in the software.


Details

Adobe has released security updates for Adobe Reader and Acrobat XI
(11.0.07) and earlier versions for Windows. These updates address a
vulnerability that could allow an attacker to circumvent sandbox
protection on the Windows platform. Adobe Reader and Acrobat for
Apple's OS X are not affected.

Adobe is aware of evidence that indicates an exploit in the wild is
being used in limited, isolated attacks targeting Adobe Reader users on
Windows. Adobe recommends users update their product installations to
the latest versions:

Users of Adobe Reader XI (11.0.07) and earlier versions for Windows
should update to version 11.0.08.

For users of Adobe Reader X (10.1.10) and earlier versions for Windows,
who cannot update to version 11.0.08, Adobe has made available version
10.1.11.

Users of Adobe Acrobat XI (11.0.07) and earlier for Windows should
update to version 11.0.08.

For users of Adobe Acrobat X (10.1.10) and earlier versions for Windows,
who cannot update to version 11.0.08, Adobe has made available version
10.1.11.

These updates resolve a sandbox bypass vulnerability that could be
exploited to run native code with escalated privileges on Windows
(CVE-2014-0546).


Acknowledgments

Adobe would like to thank Costin Raiu and Vitaly Kamluk of Kaspersky
Labs (CVE-2014-0546) for working with Adobe to help protect our
customers.


=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================