SB2017021402 - Multiple vulnerabilities in Adobe Digital Editions
Published: February 14, 2017
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Memory leak (CVE-ID: CVE-2017-2981)
The vulnerability allows a remote attacker to cause denial of service or obtain potentially sensitive information.
The vulnerability exists due to a boundary error in Adobe Digital Editions when processing malformed PDF files. A remote attacker can create a specially crafted PDF file, trick the victim into opening it and trigger memory leak.
Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.
2) Memory leak (CVE-ID: CVE-2017-2980)
The vulnerability allows a remote attacker to cause denial of service.
The vulnerability exists due to a boundary error in Adobe Digital Editions when processing malformed files. A remote attacker can create a specially crafted file, trick the victim into opening it and trigger memory leak.
Successful exploitation of the vulnerability may allow an attacker to perform a denial of service (DoS) attack.
3) Memory leak (CVE-ID: CVE-2017-2979)
The vulnerability allows a remote attacker to cause denial of service or obtain potentially sensitive information.
The vulnerability exists due to a boundary error in Adobe Digital Editions when processing malformed FlateDecode streams. A remote attacker can create a specially crafted file, trick the victim into opening it and trigger memory leak.
Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.
4) Memory leak (CVE-ID: CVE-2017-2977)
The vulnerability allows a remote attacker to cause denial of service or obtain potentially sensitive information.
The vulnerability exists due to a boundary error in Adobe Digital Editions when processing malformed FlateDecode streams. A remote attacker can create a specially crafted file, trick the victim into opening it and trigger memory leak.
Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.
5) Memory leak (CVE-ID: CVE-2017-2978)
The vulnerability allows a remote attacker to cause denial of service or obtain potentially sensitive information.
The vulnerability exists due to a boundary error in Adobe Digital Editions when processing fonts inside PDF files. A remote attacker can create a specially crafted file, trick the victim into opening it and trigger memory leak.
Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.
6) Memory leak (CVE-ID: CVE-2017-2976)
The vulnerability allows a remote attacker to cause denial of service or obtain potentially sensitive information.
The vulnerability exists due to a boundary error in Adobe Digital Editions when processing fonts inside PDF files. A remote attacker can create a specially crafted PDF file, trick the victim into opening it and trigger memory leak.
Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.
7) Memory leak (CVE-ID: CVE-2017-2975)
The vulnerability allows a remote attacker to cause denial of service or obtain potentially sensitive information.
The vulnerability exists due to a boundary error in Adobe Digital Editions when processing fonts inside PDF files. A remote attacker can create a specially crafted PDF file, trick the victim into opening it and trigger memory leak.
Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.
8) Memory leak (CVE-ID: CVE-2017-2974)
The vulnerability allows a remote attacker to cause denial of service or obtain potentially sensitive information.
The vulnerability exists due to a boundary error in Adobe Digital Editions when processing fonts inside PDF files. A remote attacker can create a specially crafted PDF file, trick the victim into opening it and trigger memory leak.
Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.
9) Heap-based buffer overflow (CVE-ID: CVE-2017-2973)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Adobe Digital Editions when processing malformed files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Remediation
Install update from vendor's website.
References
- https://helpx.adobe.com/security/products/Digital-Editions/apsb17-05.html
- http://www.zerodayinitiative.com/advisories/ZDI-17-105/
- http://www.zerodayinitiative.com/advisories/ZDI-17-103/
- http://www.zerodayinitiative.com/advisories/ZDI-17-102/
- http://www.zerodayinitiative.com/advisories/ZDI-17-104/
- http://www.zerodayinitiative.com/advisories/ZDI-17-108/
- http://www.zerodayinitiative.com/advisories/ZDI-17-107/
- http://www.zerodayinitiative.com/advisories/ZDI-17-106/