Arbitrary code execution in Adobe Acrobat and Adobe Reader - CVE-2016-6957
Published: October 12, 2016 / Updated: October 13, 2016
Vulnerability identifier: #VU843
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2016-6957
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Adobe
Affected software:
Adobe Acrobat
Adobe Reader
Adobe Acrobat
Adobe Reader
Detailed vulnerability description
The vulnerability allows a remote unauthenticated user to cause arbitrary code execution on the target system.
The weakness is due to access control error. By tricking the victim to download a specially crafted file attackers can bypass security restrictions on Javascript API execution and trigger an arbitrary code to be executed.
Successful exploitatin of the vulnerability leads to arbitrary code execution on the vulnerable system.
The weakness is due to access control error. By tricking the victim to download a specially crafted file attackers can bypass security restrictions on Javascript API execution and trigger an arbitrary code to be executed.
Successful exploitatin of the vulnerability leads to arbitrary code execution on the vulnerable system.
How to mitigate CVE-2016-6957
Update Adobe Acrobat DC to version 15.020.20039.
Update Adobe Acrobat Reader DC to version 15.006.30243.
Update Adobe Reader IX and Adobe Acrobat IX to version 11.0.18
Update Adobe Acrobat Reader DC to version 15.006.30243.
Update Adobe Reader IX and Adobe Acrobat IX to version 11.0.18