SB2017061304 - Multiple vulnerabilities in Adobe Digital Editions

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Memory corruption (CVE-ID: CVE-2017-3088)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in full system compromise.

2) Memory corruption (CVE-ID: CVE-2017-3089)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in full system compromise.

3) Memory corruption (CVE-ID: CVE-2017-3093)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in full system compromise.

4) Memory corruption (CVE-ID: CVE-2017-3096)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in full system compromise.

5) Insecure DLL library loading (CVE-ID: CVE-2017-3090)

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The weakness exists due to insecure inclusion of dynamic libraries (.dll). A remote attacker can place Adobe Digital Editions media file along with a specially crafted .dll file on a public SMB or WebDav share, trick the victim into opening the legitimate media file with the help of Adobe Digital Editions and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

6) Insecure DLL library loading (CVE-ID: CVE-2017-3092)

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The weakness exists due to insecure inclusion of dynamic libraries (.dll). A remote attacker can place Adobe Digital Editions media file along with a specially crafted .dll file on a public SMB or WebDav share, trick the victim into opening the legitimate media file with the help of Adobe Digital Editions and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

7) Insecure DLL library loading (CVE-ID: CVE-2017-3097)

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The weakness exists due to insecure inclusion of dynamic libraries (.dll). A remote attacker can place Adobe Digital Editions media file along with a specially crafted .dll file on a public SMB or WebDav share, trick the victim into opening the legitimate media file with the help of Adobe Digital Editions and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

8) Out-of-bound read (CVE-ID: CVE-2017-3094)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to out-of-bounds read. A remote attacker trigger memory corruption and gain access to memory address.

Successful exploitation of the vulnerability results in information disclosure.

9) Out-of-bound read (CVE-ID: CVE-2017-3095)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to out-of-bounds read. A remote attacker trigger memory corruption and gain access to memory address.

Successful exploitation of the vulnerability results in information disclosure.

Remediation

Install update from vendor's website.

References

• https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html