Adobe Security Bulletin
Security Updates Available for Adobe Acrobat and Reader | APSB17-36
Bulletin ID Date Published Priority
APSB17-36 November 14, 2017 2

Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows and Macintosh. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Affected Versions

Product Affected Versions Platform
Acrobat DC (Continuous Track) 2017.012.20098 and earlier versions
Windows and Macintosh
Acrobat Reader DC (Continuous Track) 2017.012.20098 and earlier versions
Windows and Macintosh
     
Acrobat 2017 2017.011.30066 and earlier versions Windows and Macintosh
Acrobat Reader 2017 2017.011.30066 and earlier versions Windows and Macintosh
     
Acrobat DC (Classic Track) 2015.006.30355 and earlier versions
Windows and Macintosh
Acrobat Reader DC (Classic Track) 2015.006.30355 and earlier versions
Windows and Macintosh
     
Acrobat XI 11.0.22 and earlier versions Windows and Macintosh
Reader XI 11.0.22 and earlier versions Windows and Macintosh

For more information on Acrobat DC, please visit the Acrobat DC FAQ page.

For more information on Acrobat Reader DC, please visit the Acrobat Reader DC FAQ page.

Solution

Adobe recommends users update their software installations to the latest versions by following the instructions below.
The latest product versions are available to end users via one of the following methods:

  • Users can update their product installations manually by choosing Help > Check for Updates.
  • The products will update automatically, without requiring user intervention, when updates are
    detected.
  • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.

For IT administrators (managed environments):

  • Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.
  • Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM
    (Windows), or on Macintosh, Apple Remote Desktop and SSH.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product Updated Versions Platform Priority Rating Availability
Acrobat DC (Continuous Track) 2018.009.20044
Windows and Macintosh 2 Windows
Macintosh
Acrobat Reader DC (Continuous Track) 2018.009.20044
Windows and Macintosh 2 Download Center
         
Acrobat 2017 2017.011.30068 Windows and Macintosh 2 Windows
Macintosh
Acrobat Reader 2017 2017.011.30068 Windows and Macintosh 2 Windows
Macintosh
         
Acrobat DC (Classic Track) 2015.006.30392
Windows and Macintosh
2 Windows
Macintosh
Acrobat Reader DC (Classic Track) 2015.006.30392 
Windows and Macintosh 2 Windows
Macintosh
         
Acrobat XI 11.0.23 Windows and Macintosh 2 Windows
Macintosh
Reader XI 11.0.23 Windows and Macintosh 2 Windows
Macintosh

Note:

As noted in this previous announcement, support for Adobe Acrobat 11.x and Adobe Reader 11.x ended on October 15, 2017.  Version 11.0.23 is the final release for Adobe Acrobat 11.x and Adobe Reader 11.x.  Adobe strongly recommends that you update to the latest versions of Adobe Acrobat DC and Adobe Acrobat Reader DC. By updating installations to the latest versions, you benefit from the latest functional enhancements and improved security measures.

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Number
Access of Uninitialized Pointer Remote Code Execution
Critical CVE-2017-16377
CVE-2017-16378
Use after free Remote Code Execution
Critical CVE-2017-16360
CVE-2017-16388
CVE-2017-16389
CVE-2017-16390
CVE-2017-16393
CVE-2017-16398
Buffer Access with Incorrect Length Value Remote Code Execution Critical CVE-2017-16381
CVE-2017-16385
CVE-2017-16392
CVE-2017-16395
CVE-2017-16396
Buffer over-read Remote Code Execution Critical CVE-2017-16363
CVE-2017-16365
CVE-2017-16374
CVE-2017-16384
CVE-2017-16386
CVE-2017-16387
Buffer Overflow/Underflow Remote Code Execution Critical CVE-2017-16368
Heap Overflow Remote Code Execution Critical

CVE-2017-16383
CVE-2017-11308

Improper validation of array index Remote Code Execution Critical

CVE-2017-16391
CVE-2017-16410

Out-of-bounds read Remote Code Execution Critical

CVE-2017-16362
CVE-2017-16370
CVE-2017-16376
CVE-2017-16382
CVE-2017-16394
CVE-2017-16397
CVE-2017-16399
CVE-2017-16400
CVE-2017-16401
CVE-2017-16402
CVE-2017-16403
CVE-2017-16404
CVE-2017-16405
CVE-2017-16408
CVE-2017-16409
CVE-2017-16412
CVE-2017-16414
CVE-2017-16417
CVE-2017-16418
CVE-2017-16420
CVE-2017-11293
CVE-2017-11240
CVE-2017-11250
CVE-2017-11307

Out-of-bounds write Remote Code Execution Critical CVE-2017-16407
CVE-2017-16413
CVE-2017-16415
CVE-2017-16416
Security bypass Drive-by-download Important
CVE-2017-16361
CVE-2017-16366
Security bypass Information Disclosure Important CVE-2017-16369
Security bypass Remote Code Execution
Critical
CVE-2017-16380
Stack exhaustion Excessive resource consumption Important CVE-2017-16419
Type confusion Remote Code Execution Critical CVE-2017-16367
CVE-2017-16379
CVE-2017-16406
Untrusted pointer dereference Remote Code Execution Critical CVE-2017-16364
CVE-2017-16371
CVE-2017-16372
CVE-2017-16373
CVE-2017-16375
CVE-2017-16411

Acknowledgements

Adobe would like to thank the following individuals and organizations for reporting the
relevant issues and for working with Adobe to help protect our customers:

  • Toan Pham Van (@__suto) (CVE-2017-16362, CVE-2017-16363, CVE-2017-16364, CVE-2017-16365)
  • Ke Liu of Tencent's Xuanwu LAB working with Trend Micro's Zero Day Initiative (CVE-2017-11307, CVE-2017-11308, CVE-2017-11240, CVE-2017-11250, CVE-2017-16381, CVE-2017-16382, CVE-2017-16383, CVE-2017-16384, CVE-2017-16385, CVE-2017-16386, CVE-2017-16387, CVE-2017-16397, CVE-2017-16400, CVE-2017-16401, CVE-2017-16402, CVE-2017-16403, CVE-2017-16404)
  • Ke Liu of Tencent’s Xuanwu LAB (CVE-2017-16370, CVE-2017-16371, CVE-2017-16372, CVE-2017-16373, CVE-2017-16374, CVE-2017-16375)
  • Steven Seeley (mr_me) of Offensive Security working with Trend Micro's Zero Day Initiative (CVE-2017-16369)
  • Kamlapati Choubey, TELUS Security Labs (CVE-2017-16415)
  • Aleksandar Nikolic of Cisco Talos http://talosintelligence.com/vulnerability-reports/ (CVE-2017-16367)
  • Jun Kokatsu (@shhnjk) (CVE-2017-16366, CVE-2017-16361)
  • riusksk (泉哥) of Tencent Security Platform Department (CVE-2017-11293, CVE-2017-16408, CVE-2017-16409, CVE-2017-16410, CVE-2017-16411, CVE-2017-16399, CVE-2017-16395, CVE-2017-16394)
  • Marcin Towalski (CVE-2017-16391)
  • Lin Wang of Beihang University (CVE-2017-16416, CVE-2017-16417, CVE-2017-16418, CVE-2017-16405)
  • willJ of Tencent PC Manager (CVE-2017-16406, CVE-2017-16407, CVE-2017-16419, CVE-2017-16412, CVE-2017-16413, CVE-2017-16396, CVE-2017-16397, CVE-2017-16392)
  • Cybellum Technologies LTD cybellum.com (CVE-2017-16376, CVE-2017-16377, CVE-2017-16378, CVE-2017-16379)
  • Richard Warren of NCC Group Plc (CVE-2017-16380)
  • Gal De Leon of Palo Alto Networks (CVE-2017-16388, CVE-2017-16389, CVE-2017-16390, CVE-2017-16393, CVE-2017-16398, CVE-2017-16414, CVE-2017-16420)
  • Toan Pham @__suto (CVE-2017-16360)
  • Ashfaq Ansari - Project Srishti working with iDefense Labs (CVE-2017-16368)

Revisions

January 2, 2018: Added references to CVE-2017-11307, CVE-2017-11308, CVE-2017-11240 and CVE-2017-11250, which were inadvertently omitted from the bulletin.