Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Security Advisories

Security Advisory - May 21, 2015

Zscaler Protects against Multiple Security Vulnerabilities in Adobe Reader, Acrobat, Flash, and Air

Zscaler, working with Microsoft through their MAPPs program, has deployed protections for the following 49 vulnerabilities included in the May 2015 Adobe security bulletins. Zscaler will continue to monitor exploits associated with all vulnerabilities in the May release and deploy additional protections as necessary.

APSB15-09 - Security updates available for Adobe Reader and Acrobat

Severity: Critical
Affected Software

  • Adobe Flash Player 17.0.0.169 and earlier versions
  • Adobe Flash Player 13.0.0.281 and earlier 13.x versions
  • Adobe Flash Player 11.2.202.457 and earlier 11.x versions
  • AIR Desktop Runtime 17.0.0.144 and earlier versions
  • AIR SDK and SDK & Compiler 17.0.0.144 and earlier versions

CVE-2015-3077 - Type Confusion in Button.filters
CVE-2015-3078 - Memory corruption with large mp4 atom sizes
CVE-2015-3079 - Cross domain policy bypass in Flash Player via encoded URL
CVE-2015-3080 - Flash AS2 Use After Free in DisplacementMapFilter.mapBitmap
CVE-2015-3081 - Broker-based sandbox escape via timing attack against file moving
CVE-2015-3082 - Broker-based sandbox escape via forward slash instead of backslash
CVE-2015-3083 - Broker-based sandbox escape via unexpected directory lock
CVE-2015-3084 - Adobe Flash: NetStream Missing Constructor Normal Check
CVE-2015-3085 - Path Traversal Issue (Junction) vulnerability
CVE-2015-3086 - Normal Check Should Verify that UserData and Destructor are null
CVE-2015-3087 - Flash Player Integer Overflow in Function.apply
CVE-2015-3088 - Heap Overflow in AVSS.setSubscribedTags can cause memory corruption
CVE-2015-3089 - Uninitialized stack variable while parsing an MPD file can corrupt memory
CVE-2015-3090 - Memory corruption with ShaderJob width and height TOCTOU condition
CVE-2015-3091 - Uninitialized memory information leak when shading into a ByteArray
CVE-2015-3092 - Info leak due to uninitialized registers when executing Shaders

Description: Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.

APSB15-10 - Security updates available for Adobe Reader and Acrobat

Severity: Critical
Affected Software

  • Adobe Reader XI (11.0.10) and earlier 11.x versions
  • Adobe Reader X (10.1.13) and earlier 10.x versions
  • Adobe Acrobat XI (11.0.10) and earlier 11.x versions
  • Adobe Acrobat X (10.1.13) and earlier 10.x versions

CVE-2015-3046 – Adobe Reader / Acrobat Memory Corruption Issues in PRCR.X3D
CVE-2015-3047 – Adobe Reader / Acrobat PRCR.X3D Invalid Indexing DoS
CVE-2015-3048 – BrokerRegSetStringValue buffer overrun in AcroBroker COM service
CVE-2015-3049 – Memory corruption possible via "transient array" with Type1 and OTF fonts
CVE-2015-3050 – Heap-based memory corruption
CVE-2015-3051 – Heap-based memory corruption
CVE-2015-3052 – Memory corruption possible in CoolType `blend` operator
CVE-2015-3053 – Close page action Use-After-Free Vulnerability
CVE-2015-3054 – WillSave document action Use-After-Free Vulnerability
CVE-2015-3055 – Fields Use-After-Free Vulnerability
CVE-2015-3056 – Line Annotations Out-Of-Bounds Read Vulnerability
CVE-2015-3057 – Uninitialized Pointer Vulnerability
CVE-2015-3058 – Spell customDictionaryExport Information Disclosure Vulnerability
CVE-2015-3059 – Text Annotations Use-After-Free Vulnerability
CVE-2015-3060 – Restrictions Bypass Privileged Javascript API Execution Vulnerability
CVE-2015-3061 – Restrictions Bypass Privileged Javascript API Execution Vulnerability
CVE-2015-3062 – Restrictions Bypass Privileged Javascript API Execution Vulnerability
CVE-2015-3063 – Restrictions Bypass Privileged Javascript API Execution Vulnerability
CVE-2015-3064 – Restrictions Bypass Privileged Javascript API Execution Vulnerability
CVE-2015-3065 – Restrictions Bypass Privileged Javascript API Execution Vulnerability
CVE-2015-3066 – Restrictions Bypass Privileged Javascript API Execution Vulnerability
CVE-2015-3067 – Restrictions Bypass Privileged Javascript API Execution Vulnerability
CVE-2015-3068 – Restrictions Bypass Privileged Javascript API Execution Vulnerability
CVE-2015-3069 – Restrictions Bypass Privileged Javascript API Execution Vulnerability
CVE-2015-3070 – Memory corruption when parsing malformed U3D file
CVE-2015-3071 – Restrictions Bypass Privileged Javascript API Execution Vulnerability
CVE-2015-3072 – Restrictions Bypass Privileged Javascript API Execution Vulnerability
CVE-2015-3073 – Restrictions Bypass Privileged Javascript API Execution Vulnerability
CVE-2015-3074 – Restrictions Bypass Privileged Javascript API Execution Vulnerability
CVE-2015-3075 – Vulnerability in Javascript handlng
CVE-2015-3076 – Crash due to double free

Description: Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address vulnerabilities that could potentially allow an attacker to take over the affected system.