Adobe Security Bulletin
Security Update Available for Adobe Acrobat and Reader | APSB17-24
Bulletin ID Date Published Priority
APSB17-24 August 8, 2017 2

Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows and Macintosh. These updates address vulnerabilities rated Critical and Important that could potentially allow an attacker to take control of the affected system. 

Affected Versions

Product Affected Versions Platform
Acrobat DC (Continuous Track) 2017.009.20058 and earlier versions
Windows and Macintosh
Acrobat Reader DC (Continuous Track) 2017.009.20058 and earlier versions
Windows and Macintosh
     
Acrobat 2017 2017.008.30051 and earlier versions Windows and Macintosh
Acrobat Reader 2017 2017.008.30051 and earlier versions Windows and Macintosh
     
Acrobat DC (Classic Track) 2015.006.30306 and earlier versions
Windows and Macintosh
Acrobat Reader DC (Classic Track) 2015.006.30306 and earlier versions
Windows and Macintosh
     
Acrobat XI 11.0.20 and earlier versions Windows and Macintosh
Reader XI 11.0.20 and earlier versions Windows and Macintosh

For more information on Acrobat DC, please visit the Acrobat DC FAQ page.

For more information on Acrobat Reader DC, please visit the Acrobat Reader DC FAQ page.

Solution

Adobe recommends users update their software installations to the latest versions by following the
instructions below.
The latest product versions are available to end users via one of the following methods:

  • Users can update their product installations manually by choosing Help > Check for Updates.
  • The products will update automatically, without requiring user intervention, when updates are
    detected.
  • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.

For IT administrators (managed environments):

  • Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.
  • Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM
    (Windows), or on Macintosh, Apple Remote Desktop and SSH.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product Updated Versions Platform Priority Rating Availability
Acrobat DC (Continuous Track) 2017.012.20098
Windows and Macintosh 2 Windows
Macintosh
Acrobat Reader DC (Continuous Track) 2017.012.20098 Windows and Macintosh 2 Download Center
         
Acrobat 2017 2017.011.30066 Windows and Macintosh 2 Windows
Macintosh
Acrobat Reader 2017 2017.011.30066 Windows and Macintosh 2 Windows
Macintosh
         
Acrobat DC (Classic Track) 2015.006.30355
Windows and Macintosh
2 Windows
Macintosh
Acrobat Reader DC (Classic Track) 2015.006.30355 
Windows and Macintosh 2 Windows
Macintosh
         
Acrobat XI 11.0.21 Windows and Macintosh 2 Windows
Macintosh
Reader XI 11.0.21 Windows and Macintosh 2 Windows
Macintosh

Note:

Version 11.0.22 is available to users impacted by the functional regression in XFA forms introduced in 11.0.21 (see here for more details).  Both 11.0.22 and 11.0.21 resolve all security vulnerabilities referenced in this bulletin.    

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Memory Corruption Remote Code Execution Critical CVE-2017-3016
Memory Corruption Remote Code Execution Critical CVE-2017-3038
Use After Free Remote Code Execution Critical CVE-2017-3113
Insufficient Verification of Data Authenticity Information Disclosure Important CVE-2017-3115
Memory Corruption Remote Code Execution Critical CVE-2017-3116
Heap Overflow Remote Code Execution Critical CVE-2017-3117
Security Bypass Information Disclosure Important CVE-2017-3118
Memory Corruption Remote Code Execution Important CVE-2017-3119
Use After Free Remote Code Execution Critical CVE-2017-3120
Heap Overflow Remote Code Execution Critical CVE-2017-3121
Memory Corruption Information Disclosure Important CVE-2017-3122
Memory Corruption Remote Code Execution Critical CVE-2017-3123
Memory Corruption Remote Code Execution Critical CVE-2017-3124
Memory Corruption Information Disclosure Important CVE-2017-11209
Memory Corruption Information Disclosure Important CVE-2017-11210
Heap Overflow Remote Code Execution Critical CVE-2017-11211
Memory Corruption Remote Code Execution Critical CVE-2017-11212
Memory Corruption Remote Code Execution Critical CVE-2017-11214
Memory Corruption Remote Code Execution Critical CVE-2017-11216
Memory Corruption Information Disclosure Important CVE-2017-11217
Use After Free Remote Code Execution Critical CVE-2017-11218
Use After Free Remote Code Execution Critical CVE-2017-11219
Heap Overflow Remote Code Execution Critical CVE-2017-11220
Type Confusion Remote Code Execution Critical CVE-2017-11221
Memory Corruption Remote Code Execution Critical CVE-2017-11222
Use After Free Remote Code Execution Critical CVE-2017-11223
Use After Free Remote Code Execution Critical CVE-2017-11224
Memory Corruption Remote Code Execution Critical CVE-2017-11226
Memory Corruption Remote Code Execution Critical CVE-2017-11227
Memory Corruption Remote Code Execution Critical CVE-2017-11228
Security Bypass Remote Code Execution Important CVE-2017-11229
Memory Corruption Information Disclosure Important CVE-2017-11230
Use After Free Remote Code Execution Critical CVE-2017-11231
Use After Free Information Disclosure Important CVE-2017-11232
Memory Corruption Information Disclosure Important CVE-2017-11233
Memory Corruption Remote Code Execution Critical CVE-2017-11234
Use After Free Remote Code Execution Critical CVE-2017-11235
Memory Corruption Information Disclosure Important CVE-2017-11236
Memory Corruption Remote Code Execution Critical CVE-2017-11237
Memory Corruption Information Disclosure Critical CVE-2017-11238
Memory Corruption Information Disclosure Critical CVE-2017-11239
Heap Overflow Remote Code Execution Critical CVE-2017-11241
Memory Corruption Information Disclosure Important CVE-2017-11242
Memory Corruption Information Disclosure Important CVE-2017-11243
Memory Corruption Information Disclosure Important CVE-2017-11244
Memory Corruption Information Disclosure Important CVE-2017-11245
Memory Corruption Information Disclosure Important CVE-2017-11246
Memory Corruption Information Disclosure Important CVE-2017-11248
Memory Corruption Information Disclosure Important CVE-2017-11249
Memory Corruption Remote Code Execution Critical CVE-2017-11251
Memory Corruption Information Disclosure Critical CVE-2017-11252
Use After Free Remote Code Execution Important CVE-2017-11254
Memory Corruption Information Disclosure Important CVE-2017-11255
Use After Free Remote Code Execution Critical CVE-2017-11256
Type Confusion Remote Code Execution Critical CVE-2017-11257
Memory Corruption Information Disclosure Important CVE-2017-11258
Memory Corruption Remote Code Execution Critical CVE-2017-11259
Memory Corruption Remote Code Execution Critical CVE-2017-11260
Memory Corruption Remote Code Execution Critical CVE-2017-11261
Memory Corruption Remote Code Execution Critical CVE-2017-11262
Memory Corruption Remote Code Execution Important CVE-2017-11263
Memory Corruption Information Disclosure Important CVE-2017-11265
Memory Corruption Remote Code Execution Critical CVE-2017-11267
Memory Corruption Remote Code Execution Critical CVE-2017-11268
Memory Corruption Remote Code Execution Critical CVE-2017-11269
Memory Corruption Remote Code Execution Critical CVE-2017-11270
Memory Corruption Remote Code Execution Critical CVE-2017-11271

Note:

CVE-2017-3038 was resolved in 2017.009.20044 and 2015.006.30306 (April 2017 release), but the fix was incomplete for version 11.0.20.  This vulnerability has now been completely resolved in version 11.0.21 (August 2017 release).  

Acknowledgements

Adobe would like to thank the following individuals and organizations for reporting the
relevant issues and for working with Adobe to help protect our customers:

  • @vftable working with Trend Micro's Zero Day Initiative (CVE-2017-11211, CVE-2017-11251)
  • Aleksandar Nikolic of Cisco Talos (CVE-2017-11263)
  • Alex Infuhr of Cure 53 (CVE-2017-11229)
  • Ashfaq Ansari of Project Srishti (CVE-2017-11221)
  • Ashfaq Ansari of Project Srishti working with the iDefense Vulnerability Contributor Program (CVE-2017-3038)
  • Cybellum Technologies LTD (CVE-2017-3117)
  • Anonymously reported via Trend Micro's Zero Day Initiative (CVE-2017-3113, CVE-2017-3120, CVE-2017-11218, CVE-2017-11224, CVE-2017-11223)
  • Fernando Munoz working with Trend Micro's Zero Day Initiative (CVE-2017-3115)
  • Giwan Go of STEALIEN & HIT working with Trend Micro's Zero Day Initiative (CVE-2017-11228, CVE-2017-11230)
  • Heige (a.k.a. SuperHei) of Knwonsec 404 Team (CVE-2017-11222)
  • Jaanus Kp Clarified Security working with Trend Micro's Zero Day Initiative (CVE-2017-11236, CVE-2017-11237, CVE-2017-11252, CVE-2017-11231, CVE-2017-11265)
  • Jaanus Kp Clarified Security working with Trend Micro's Zero Day Initiative and Ashfaq Ansari - Project Srishti working with Trend Micro's Zero Day Initiative (CVE-2017-11231)
  • Jihui Lu of Tencent KeenLab (CVE-2017-3119)
  • kdot working with Trend Micro's Zero Day Initiative (CVE-2017-11234, CVE-2017-11235, CVE-2017-11271)
  • Ke Liu of Tencent's Xuanwu LAB working with Trend Micro's Zero Day Initiative (CVE-2017-3121, CVE-2017-3122, CVE-2017-11212, CVE-2017-11216, CVE-2017-11217, CVE-2017-11238, CVE-2017-11239, CVE-2017-11241, CVE-2017-11242, CVE-2017-11243, CVE-2017-11244, CVE-2017-11245, CVE-2017-11246, CVE-2017-11248, CVE-2017-11249, CVE-2017-11233, CVE-2017-11261, CVE-2017-11260, CVE-2017-11258, CVE-2017-11259, CVE-2017-11267, CVE-2017-11268, CVE-2017-11269, CVE-2017-11259, CVE-2017-11270, CVE-2017-11261)
  • Ke Liu of Tencent's Xuanwu LAB working with Trend Micro's Zero Day Initiative and Steven Seeley (mr_me) of Offensive Security (CVE-2017-11212, CVE-2017-11214, CVE-2017-11227)
  • Siberas working with Beyond Security's SecuriTeam Secure Disclosure Program (CVE-2017-11254)
  • Richard Warren (CVE-2017-3118)
  • riusksk of Tencent Security Platform Department (CVE-2017-3016)
  • Sebastian Apelt siberas working with Trend Micro's Zero Day Initiative (CVE-2017-11219, CVE-2017-11256, CVE-2017-11257)
  • Steven Seeley (mr_me) of Offensive Security working with Trend Micro's Zero Day Initiative (CVE-2017-11209, CVE-2017-11210, CVE-2017-11232, CVE-2017-11255, CVE-2017-3123, CVE-2017-3124)
  • Steven Seeley working with Beyond Security’s SecuriTeam Secure Disclosure Program (CVE-2017-11220)
  • Steven Seeley (CVE-2017-11262)
  • Sushan (CVE-2017-11226
  • Toan Pham (CVE-2017-3116)

Revisions

August 29, 2017: the Solution table has been updated to reflect new updates available as of August 29.  These updates resolve a functional regression with XFA forms functionality that affected some users.  The August 29 releases also resolve security vulnerability CVE-2017-11223.  

CVE-2017-11223 was originally addressed in the August 8 updates (versions 2017.012.20093, 2017.011.30059 and 2015.006.30352), but due to a functional regression in those releases, temporary hotfixes were offered that reverted the fix for CVE-2017-11223. The August 29 releases resolve both the regression and provide a fix for CVE-2017-11223. See this blog post for more details.