Security Advisory - November 14, 2017

Zscaler protects against 40 new vulnerabilities for Adobe Flash Player and Acrobat Reader.

 

 

Zscaler, working with Microsoft through their MAPP program, has proactively deployed protections for the following 40 vulnerabilities included in the November 2017 Adobe security bulletins. Zscaler will continue to monitor exploits associated with all vulnerabilities in the November release and deploy additional protections as necessary.

APSB17-33 – Security updates available for Adobe Flash Player

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Severity: Important
Affected Software

  • Adobe Flash Player Desktop Runtime 27.0.0.183 and earlier for Windows, Macintosh and Linux
  • Adobe Flash Player for Google Chrome 27.0.0.183 and earlier for Windows, Macintosh, Linux and Chrome OS
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 27.0.0.183 and earlier for Windows 10 and 8.1

CVE-2017-11213 – Integer Overflow causes Out-of-bounds Read

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer due to an integer overflow; the computation is part of the abstraction that creates arbitrarily sized transparent or opaque bitmap image. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2017-3112 – Out-of-bounds Read

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of AdobePSDK metadata. A malformed Action Script input manipulation of the metadata that is associated with TVSDK objects leads to flawed computation that involves pointer offset arithmetic which does not adequately account for the buffer boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure

CVE-2017-11215 – Use After Free

This vulnerability is an instance of a use after free vulnerability in Primetime SDK. The mismatch between the old and the new object can provide attacker with an unintended memory access -- potentially leading to code corruption, control-flow hijack, or information leak attack. Successful exploitation could lead to arbitrary code execution.

CVE-2017-11225 – Use After Free

This vulnerability is an instance of a use after free vulnerability in the Primetime SDK metadata functionality. The mismatch between the old and the new object can provide attacker with an unintended memory access -- potentially leading to code corruption, control-flow hijack, or information leak attack. Successful exploitation could lead to arbitrary code execution

CVE-2017-3114 – Out-of-bounds Read 

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of provide language- and region- or country- specific functionality. A malformed input that manipulated methods for parsing and using locale ID names leads to flawed computation that involves pointer offset arithmetic which does not adequately account for the buffer boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure

APSB17-36 – Security Updates Available for Adobe Acrobat and Reader

CVE-2017-16362 – Out of bounds read 

This vulnerability is an instance of a out of bounds read vulnerability in the MakeAccesible plugin, when handling font data. The vulnerability is triggered by a crafted PDF file that contains atypical font definition that was not anticipated by the font processing routine. It causes an out of bounds memory access, which sometimes triggers access violation exception. Attackers can exploit the vulnerability by using the out of bounds access for unintended reads, writes or frees potentially leading to code corruption, control-flow hijack, or information leak attack.

CVE-2017-16391 – Improper Validation of Array Index 

The vulnerability is a result of an untrusted input that is used to calculate an array index, the calculation occurs in the printing functionality. The flaw is due to incorrect index validation which fails to assure that the index references a valid position within the array boundaries. The vulnerability leads to an operation that can write to a memory location that is outside of the memory addresses allocated for the data structure. The specific scenario leads to a write access to a memory location that does not belong to the relevant process address space.

CVE-2017-16373 – Untrusted Pointer Dereference 

This issue is due to untrusted pointer dereference in module. The flawed computation obtains a value from an untrusted source, and in the subsequent computations transforms the untrusted source value into a pointer. The vulnerability is triggered when the pointer is dereferenced. In this scenario, the input is crafted in way that the computation results with pointer to memory locations that do not belong to the relevant process address space. The dereferencing operation is a read operation, and an attack can result with sensitive data exposure.

CVE-2017-16397 – Out of bounds read 

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is a part of Enhanced Metafile Format (EMF) processing within the image conversion module. A malformed EMF input (related to block transfer with alpha transparency) leads to flawed computation that involves pointer offset arithmetic which does not adequately account for the buffer boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure

CVE-2017-16401 – Out of bounds read 

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of an image conversion, specifically Enhanced Metafile Format Plus (EMF +) processing modules. A malformed EMF+ file input leads to flawed computation that involves pointer offset arithmetic which does not adequately account for the buffer boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2017-16360 – Use after free vulnerability

This vulnerability is an instance of a use after free vulnerability in the MakeAccessible plugin, when creating internal data structure. The vulnerability is triggered by a crafted PDF with an unanticipated (invalid) document structure. It causes an access violation exception in the internal representation because of a dangling reference left as a consequence of freeing an object that represents document object model. A constraint for exploitation of this vulnerability is that the memory area of the freed (i.e., old) object is reused by another object. The mismatch between the old and the new object can provide attacker with an unintended memory access -- potentially leading to code corruption, control-flow hijack, or information leak attack. Successful exploitation could lead to arbitrary code execution

CVE-2017-16404 – Out-of-bounds Read 

The vulnerability is caused by the computation that writes data past the end of the intended buffer; the computation is part of processing Enhanced Metafile Format Plus (EMF+). A crafted EMF+ input triggers the flawed computation where pointer arithmetic is not appropriately checked against boundary conditions, which leads to memory write operation through the pointer that points to an invalid memory location. The vulnerability is a result of out of range pointer offset that is used to access sub-elements of an internal data structure. An attacker can potentially leverage the vulnerability to corrupt sensitive data or execute arbitrary code.

CVE-2017-16413 – Out-of-bounds Write 

The TIFF engine incorrectly handles the record that specifies tiles configuration in conjunction with the image tile. Specifically, the vulnerability is triggered when the decoding tile data (related to ColorMap) and size of buffer holding the tile data is smaller than expected by the computation, because the size was allocated based on the data provided in the file and not the size that is required by the computation.

CVE-2017-16395 – Buffer Access with Incorrect Length Value

The vulnerability is caused by a buffer access with incorrect length value in the image conversion module when processing Enhanced Metafile Format (EMF). The flawed computation involves operation to write into a buffer, however, it relies on an incorrect length value that allows for access to memory outside of the bounds of the buffer. Crafted EMF input (EMR_STRETCHDIBITS) causes the mismatch between allocated buffer size and the access allowed by the computation. If an attacker can adequately control the accessible memory then this vulnerability can be leveraged to achieve arbitrary code execution.

CVE-2017-16386 – Buffer Over-read 

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of XPS2PDF conversion engine. A malformed JPEG input (embedded within an XPS) leads to flawed computation that involves pointer offset arithmetic which does not adequately account for the buffer boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2017-16368 – Buffer Overflow / Underflow .  

This vulnerability leads to stack-based buffer overflow condition in the internal Unicode string manipulation module. This condition results with the stack allocated buffer being overwritten as a result of a flawed buffer boundary checks. It is triggered by an invalid PDF file, where a crafted Unicode string causes an out of bounds memory access of a stack allocated buffer, due to improper checks when manipulating and offset of a pointer to the buffer. Attackers can exploit the vulnerability and achieve an arbitrary code execution if they can effectively control the accessible memory.

CVE-2017-16393 – Use after free vulnerability

This vulnerability is an instance of a use after free vulnerability in the JavaScript engine. The vulnerability is triggered by a crafted JavaScript embedded in a PDF file that invokes a sequence of event methods related to keyword focus. It triggers access violation exception because of a dangling reference left as a consequence of freeing an object. A constraint for exploitation of this vulnerability is that the memory area of the freed (i.e., old) object is reused by another object. The mismatch between the old and the new object can provide attacker with an unintended memory access -- potentially leading to code corruption, control-flow hijack, or information leak attack. Successful exploitation could lead to arbitrary code execution.

CVE-2017-16370 –  Buffer Over-read

This vulnerability occurs because of computation that reads data that is past the end of the target buffer; the computation is a part of JavaScript engine. A specifically crafted call to a JavaScript function leads to flawed computation that involves data structure manipulation which does not adequately account for the data structure boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure

CVE-2017-16375 –  Untrusted Pointer Dereference

This issue is due to untrusted pointer dereference in the Javascript API engine. The flawed computation obtains a value from an untrusted source, and in the subsequent computations transforms the untrusted source value into a pointer. The vulnerability is triggered when the pointer is dereferenced. In this scenario, the JavaScript input is crafted in way that the computation results with pointer to memory locations that do not belong to the relevant process address space. The dereferencing operation is a read operation, and an attack can result with sensitive data exposure

CVE-2017-16406 – Type Confusion 

This vulnerability is an instance of a type confusion vulnerability in the EMF processing module. Specifically, the vulnerability is triggered by a crafted EMF file in the record that specifies a block transfer of pixels from a source bitmap to a destination rectangle with additional parameters (EMR_STRETCHDIBITS). The issue causes the program to access an object using an incompatible type, leading to an out of bounds memory access. Attackers can exploit the vulnerability by using the out of bounds access for unintended reads, writes or frees -- potentially leading to code corruption, control-flow hijack, or information leak attack.

CVE-2017-16419 – Stack Exploitation 

The issue is a stack exhaustion problem within the JavaScript API, where the computation does not correctly control the amount of recursion that can happen with respect to the system resources. The result is an excessive resource consumption (e.g., allocated memory). 

CVE-2017-16390 – Use after free vulnerability

This vulnerability is an instance of a use after free vulnerability in JavaScript engine API. The vulnerability is triggered by a PDF file with embedded JavaScript code that manipulates field properties because of a dangling reference left as a consequence of freeing an object. A constraint for exploitation of this vulnerability is that the memory area of the freed (i.e., old) object is reused by another object. The mismatch between the old and the new object can provide attacker with an unintended memory access -- potentially leading to code corruption, control-flow hijack, or information leak attack. Successful exploitation could lead to arbitrary code execution.

CVE-2017-16398 – Use after free vulnerability 

This vulnerability is an instance of a use after free vulnerability in the JavaScript engine. The vulnerability is triggered by a crafted JavaScript embedded within PDF file. It triggers access violation exception because of a dangling reference left as a consequence of freeing an object as consequence of mutually recursive JavaScript API notification events. A constraint for exploitation of this vulnerability is that the memory area of the freed (i.e., old) object is reused by another object. The mismatch between the old and the new object can provide attacker with an unintended memory access -- potentially leading to code corruption, control-flow hijack, or information leak attack. Successful exploitation could lead to arbitrary code execution.

CVE-2017-16420 – Out-of-Bounds access vulnerability 

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of JavaScript engine that handles annotation abstraction. A crafted JavaScript input leads to flawed computation that involves pointer offset arithmetic which does not adequately account for the buffer boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2017-16389 – Use after free vulnerability 

This vulnerability is an instance of a use after free vulnerability in the JavaScript engine. The vulnerability is triggered by a crafted JavaScript within the PDF file that defines a sequence of statements leading to internal events where a dangling reference left as a consequence of freeing an object representing abstract canvas. A constraint for exploitation of this vulnerability is that the memory area of the freed (i.e., old) object is reused by another object. The mismatch between the old and the new object can provide attacker with an unintended memory access. Successful exploitation could lead to arbitrary code execution.

CVE-2017-16408 – out-of-range pointer access

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is a part of the WebCapture module. A malformed string in the HTML input leads to flawed computation that involves pointer offset arithmetic which does not adequately account for the buffer boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2017-16363 – Buffer Over-read 

The vulnerability is caused by buffer over-read in the module that handles character codes for the certain textual representations. Specifically, the computation reads from a buffer using a pointer that references memory locations that are after the target buffer. An invalid input leads to the computation where the pointer arithmetic results with a location outside valid memory locations belonging to the buffer. An attack can be used to obtain sensitive information, such as object heap addresses, etc.

CVE-2017-16369 – Security Bypass vulnerability

This vulnerability is an instance of a Same Origin Policy security bypass vulnerability. Specifically, the vulnerability exists in a way Acrobat enforces Same Origin Policy when processing HTML files. Due to this vulnerability, it is possible to bypass the same origin policy to disclose sensitive information (e.g. files on the local system, etc.).

CVE-2017-16369 –  Security Bypass Vulnerability.

This vulnerability is an instance of a Same Origin Policy security bypass vulnerability. Specifically, the vulnerability exists in a way Acrobat enforces Same Origin Policy when processing HTML files. Due to this vulnerability, it is possible to bypass the same origin policy to disclose sensitive information (e.g. files on the local system, etc.).

CVE-2017-16371 – Untrusted Pointer Dereference 

This issue is due to untrusted pointer dereference in JavaScript engine. The flawed computation obtains a value from an untrusted source, and in the subsequent computations transforms the untrusted source value into a pointer. The vulnerability is triggered when the pointer is dereferenced. In this scenario, the input is crafted in way that the computation results with pointer to memory locations that do not belong to the relevant process address space. The dereferencing operation is a read operation, and an attack can result with sensitive data exposure.

CVE-2017-16372 – Untrusted Pointer Dereference 

This issue is due to untrusted pointer dereference in the JavaScript API engine. The flawed computation obtains a value from an untrusted source, and in the subsequent computations transforms the untrusted source value into a pointer. The vulnerability is triggered when the pointer is dereferenced. In this scenario, the JavaScript input is crafted in way that the computation results with pointer to memory locations that do not belong to the relevant process address space. The dereferencing operation is a read operation, and an attack can result with sensitive data exposure.

CVE-2017-16414 – out-of-range pointer access 

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is a part of JavaScript API module responsible for form field computation. A malformed JavaScript input leads to flawed computation that involves pointer offset arithmetic which does not adequately account for the buffer boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2017-16388 – use after free vulnerability  

This vulnerability is an instance of a use after free vulnerability in the JavaScript API engine. Specifically, the vulnerability is triggered by a PDF file with crafted JavaScript which can trigger access violation exception because of a dangling reference left as a consequence of freeing an object during recursive evaluation. A constraint for exploitation of this vulnerability is that the memory area of the freed (i.e., old) object is reused by another object. The mismatch between the old and the new object can provide attacker with an unintended memory access -- potentially leading to code corruption, control-flow hijack, or information leak attack. Successful exploitation could lead to arbitrary code execution.

CVE-2017-16367 – Type Confusion 

This vulnerability is an instance of a type confusion overflow vulnerability. Specifically, the vulnerability is triggered by a crafted PDF file which causes the program to access an object using an incompatible type when handling malformed content stream. The vulnerability leads to an out of bounds memory access. Attackers can exploit the vulnerability by using the out of bounds access for unintended reads or writes -- potentially leading to code corruption, control-flow hijack, or information leak attack.

CVE-2017-16385 – Buffer Access with Incorrect Length Value  

The vulnerability is caused by a buffer access with incorrect length value in TIFF parsing during XPS conversion. The flawed computation involves operation to write into a buffer, however it relies on an incorrect length value that allows for access to memory outside of the bounds of the buffer. Crafted TIFF image input causes the mismatch between allocated buffer size and the access allowed by the computation. If an attacker can adequately control the accessible memory then this vulnerability can be leveraged to achieve arbitrary code execution. 

CVE-2017-16394 – Out-of-bounds Read  

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is a part of WebCapture module. A malformed input leads to flawed computation that involves pointer offset arithmetic which does not adequately account for the buffer boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2017-16403 – Out-of-bounds Read 

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the image conversion module that processes Enhanced Metafile Format Plus (EMF+) data. A malformed EMF+ input leads to flawed computation that involves pointer offset arithmetic which does not adequately account for the buffer boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2017-16412 – Out-of-bounds Read

This vulnerability occurs because of computation that reads data that is past the end of the target buffer; the computation is part of XPS conversion module, when handling a JPEG resource. A malformed JPEG input leads to flawed computation that involves pointer offset arithmetic which does not adequately account for the buffer boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2017-16402 – Out-of-bounds Read

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is a part of the JPEG 2000 module. A malformed JPEG 200 input code stream leads to flawed quantization computation that involves pointer offset arithmetic which does not adequately account for the buffer boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.