Sign-up

ID

VAR-201603-0203


CVE

CVE-2016-1008


TITLE

Windows and Mac OS X Run on Adobe Reader and Acrobat Vulnerability gained in

Trust: 0.8

sources: JVNDB: JVNDB-2016-001699

DESCRIPTION

Untrusted search path vulnerability in Adobe Reader and Acrobat before 11.0.15, Acrobat and Acrobat Reader DC Classic before 15.006.30121, and Acrobat and Acrobat Reader DC Continuous before 15.010.20060 on Windows and OS X allows local users to gain privileges via a Trojan horse DLL in an unspecified directory. DLL You may get permission through. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must open a malicious file.The specific flaw exists within the handling of DLL search paths. In specific situations an attacker can force Acrobat Pro DC to load an arbitrary DLL from specific locations. An attacker can leverage this vulnerability to execute code under the context of the current process. Adobe Acrobat DC, etc. are all products of Adobe (Adobe) in the United States. Acrobat DC is a desktop PDF solution; Acrobat Reader DC is a set of tools for viewing, printing and annotating PDF. A security vulnerability exists in several Adobe products due to the program not properly initializing gesture properties

Trust: 2.43

sources: NVD: CVE-2016-1008 // JVNDB: JVNDB-2016-001699 // ZDI: ZDI-16-190 // VULHUB: VHN-88820 // VULMON: CVE-2016-1008

AFFECTED PRODUCTS

vendor:adobemodel:acrobat reader dcscope:eqversion:15.006.30119

Trust: 1.6

vendor:adobemodel:acrobatscope:lteversion:11.0.14

Trust: 1.0

vendor:adobemodel:acrobat readerscope:lteversion:11.0.14

Trust: 1.0

vendor:adobemodel:acrobat dcscope:lteversion:15.010.20059

Trust: 1.0

vendor:adobemodel:acrobat dcscope:lteversion:15.006.30119

Trust: 1.0

vendor:adobemodel:acrobat reader dcscope:lteversion:15.010.20059

Trust: 1.0

vendor:adobemodel:acrobatscope:ltversion:xi desktop 11.0.15 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat dcscope:ltversion:classic 15.006.30121 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat dcscope:ltversion:continuous track 15.010.20060 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat reader dcscope:ltversion:classic 15.006.30121 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat reader dcscope:ltversion:continuous track 15.010.20060 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:readerscope:ltversion:xi desktop 11.0.15 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat pro dcscope: - version: -

Trust: 0.7

vendor:adobemodel:acrobatscope:eqversion:11.0.14

Trust: 0.6

vendor:adobemodel:acrobat reader dcscope:eqversion:15.010.20059

Trust: 0.6

vendor:adobemodel:acrobat dcscope:eqversion:15.010.20059

Trust: 0.6

vendor:adobemodel:acrobat dcscope:eqversion:15.006.30119

Trust: 0.6

vendor:adobemodel:acrobat readerscope:eqversion:11.0.14

Trust: 0.6

sources: ZDI: ZDI-16-190 // JVNDB: JVNDB-2016-001699 // CNNVD: CNNVD-201603-078 // NVD: CVE-2016-1008

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-1008
value: HIGH

Trust: 1.0

NVD: CVE-2016-1008
value: HIGH

Trust: 0.8

ZDI: CVE-2016-1008
value: HIGH

Trust: 0.7

CNNVD: CNNVD-201603-078
value: HIGH

Trust: 0.6

VULHUB: VHN-88820
value: HIGH

Trust: 0.1

VULMON: CVE-2016-1008
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-1008
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

ZDI: CVE-2016-1008
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

VULHUB: VHN-88820
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-1008
baseSeverity: HIGH
baseScore: 8.4
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.5
impactScore: 5.9
version: 3.0

Trust: 1.0

sources: ZDI: ZDI-16-190 // VULHUB: VHN-88820 // VULMON: CVE-2016-1008 // JVNDB: JVNDB-2016-001699 // CNNVD: CNNVD-201603-078 // NVD: CVE-2016-1008

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-88820 // JVNDB: JVNDB-2016-001699 // NVD: CVE-2016-1008

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201603-078

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201603-078

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-001699

PATCH
title:APSB16-09url:https://helpx.adobe.com/security/products/acrobat/apsb16-09.html
Trust: 1.5
title:APSB16-09url:https://helpx.adobe.com/jp/security/products/acrobat/apsb16-09.html
Trust: 0.8
title:Multiple Adobe Fixes for product arbitrary code execution vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60438
Trust: 0.6
title: - url:https://threatpost.com/adobe-patches-reader-and-acrobat-teases-upcoming-flash-update/116662/
Trust: 0.1
sources:
            
            
            ZDI: ZDI-16-190 // 
            
            
            
            VULMON: CVE-2016-1008 // 
            
            
            
            JVNDB: JVNDB-2016-001699 // 
            
            
            
            CNNVD: CNNVD-201603-078

EXTERNAL IDS
db:NVDid:CVE-2016-1008
Trust: 3.3
db:ZDIid:ZDI-16-190
Trust: 1.8
db:BIDid:84216
Trust: 1.1
db:SECTRACKid:1035199
Trust: 1.1
db:JVNDBid:JVNDB-2016-001699
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-3111
Trust: 0.7
db:CNNVDid:CNNVD-201603-078
Trust: 0.7
db:VULHUBid:VHN-88820
Trust: 0.1
db:VULMONid:CVE-2016-1008
Trust: 0.1
sources:
            
            
            ZDI: ZDI-16-190 // 
            
            
            
            VULHUB: VHN-88820 // 
            
            
            
            VULMON: CVE-2016-1008 // 
            
            
            
            JVNDB: JVNDB-2016-001699 // 
            
            
            
            CNNVD: CNNVD-201603-078 // 
            
            
            
            NVD: CVE-2016-1008

REFERENCES
url:https://helpx.adobe.com/security/products/acrobat/apsb16-09.html
Trust: 2.4
url:http://www.securityfocus.com/bid/84216
Trust: 1.1
url:http://www.zerodayinitiative.com/advisories/zdi-16-190
Trust: 1.1
url:http://www.securitytracker.com/id/1035199
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1008
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1008
Trust: 0.8
sources:
            
            
            ZDI: ZDI-16-190 // 
            
            
            
            VULHUB: VHN-88820 // 
            
            
            
            JVNDB: JVNDB-2016-001699 // 
            
            
            
            CNNVD: CNNVD-201603-078 // 
            
            
            
            NVD: CVE-2016-1008

CREDITS
AbdulAziz Hariri and Jasiel Spelman of HP Zero Day Initiative
Trust: 1.3
sources:
            
            
            ZDI: ZDI-16-190 // 
            
            
            
            CNNVD: CNNVD-201603-078

SOURCES
db:ZDIid:ZDI-16-190
db:VULHUBid:VHN-88820
db:VULMONid:CVE-2016-1008
db:JVNDBid:JVNDB-2016-001699
db:CNNVDid:CNNVD-201603-078
db:NVDid:CVE-2016-1008

LAST UPDATE DATE
2024-11-23T22:27:02.661000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-16-190date:2016-03-08T00:00:00
db:VULHUBid:VHN-88820date:2016-12-03T00:00:00
db:VULMONid:CVE-2016-1008date:2016-12-03T00:00:00
db:JVNDBid:JVNDB-2016-001699date:2016-03-15T00:00:00
db:CNNVDid:CNNVD-201603-078date:2016-03-09T00:00:00
db:NVDid:CVE-2016-1008date:2024-11-21T02:45:34.943

SOURCES RELEASE DATE
db:ZDIid:ZDI-16-190date:2016-03-08T00:00:00
db:VULHUBid:VHN-88820date:2016-03-09T00:00:00
db:VULMONid:CVE-2016-1008date:2016-03-09T00:00:00
db:JVNDBid:JVNDB-2016-001699date:2016-03-15T00:00:00
db:CNNVDid:CNNVD-201603-078date:2016-03-09T00:00:00
db:NVDid:CVE-2016-1008date:2016-03-09T11:59:38.390