Arbitrary code execution in Adobe Reader and Adobe Acrobat - CVE-2016-6960
Published: October 12, 2016 / Updated: October 14, 2016
Vulnerability identifier: #VU895
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2016-6960
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Adobe
Affected software:
Adobe Reader
Adobe Acrobat
Adobe Reader
Adobe Acrobat
Detailed vulnerability description
The vulnerability allows a remote unauthenticated user to execute arbitrary code on the target system.
The weakness is due to insufficient input validation. By tricking the victim to download a specially crafted .pdf file that may cause a read past the end of an allocated object, attackers can bypass security restrictions and to execute arbitrary code.
Successful exploitatin of the vulnerability leads to arbitrary code execution on the vulnerable system.
The weakness is due to insufficient input validation. By tricking the victim to download a specially crafted .pdf file that may cause a read past the end of an allocated object, attackers can bypass security restrictions and to execute arbitrary code.
Successful exploitatin of the vulnerability leads to arbitrary code execution on the vulnerable system.
How to mitigate CVE-2016-6960
Update Adobe Acrobat DC to version 15.020.20039.
Update Adobe Acrobat Reader DC to version 15.006.30243.
Update Adobe Reader IX and Adobe Acrobat IX to version 11.0.18.
Update Adobe Acrobat Reader DC to version 15.006.30243.
Update Adobe Reader IX and Adobe Acrobat IX to version 11.0.18.