Multiple vulnerabilities have been reported in Adobe Reader / Acrobat, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to disclose potentially sensitive information, bypass certain security restrictions, and compromise a user's system.

1) An error exists in how the Adobe Reader X sandbox feature performs policy checks and how certain policy rules are setup. This can be exploited to bypass the policy checks and manipulate certain restricted resources, thereby disabling the sandbox feature.

This vulnerability affects Adobe Reader X for Windows only.

2) An unspecified error can be exploited to bypass certain security restrictions.

3) The application includes a vulnerable version of libtiff, which is used when parsing PDF files e.g. containing U3D data.

For more information:
SA21304

4) An error when handling PICT images containing 0x10 opcodes can be exploited to cause a heap-based buffer overflow as the word following the opcode is used as a loop counter for copying data without validating it.

5) An error when handling PICT images containing 0x0E opcodes can be exploited to cause a heap-based buffer overflow as the word following the opcode is used as a loop counter for copying data without validating it.

6) A boundary error in 2d.x3d when storing certain image header values from PICT images can be exploited to cause a stack-based buffer overflow.

7) A boundary error when parsing RGBA chunks in IFF images can be exploited to cause a heap-based buffer overflow.

8) An error when parsing PCX images can be exploited to cause a heap-based buffer overflow.

9) An error when parsing various types of encoded data in BMP images can be exploited to cause heap-based buffer overflows via specially crafted image content in a PDF document.

10) An unspecified error can be exploited to disclose the contents of memory.

11) A use-after-free error when processing certain JPEG markers within a PDF file can be exploited to dereference an invalid object as an object pointer.

12) Sign-extension errors in the CoolType.dll library when parsing compound glyphs in TrueType fonts can be exploited to corrupt heap-based memory via "numberOfContours" values greater than 7FFFh.

13) A logic error can be exploited to corrupt memory.

14) An integer overflow error when parsing certain ICC profile records can be exploited to cause a stack-based buffer overflow.

15) The application bundles vulnerable versions of Adobe Flash Player.

For more information:
SA45583
SA46113

The vulnerabilities are reported in the following products:
* Adobe Reader X (10.1) and earlier for Windows and Macintosh.
* Adobe Reader 9.4.5 and earlier for Windows, Macintosh, and UNIX.
* Adobe Reader 8.3 and earlier for Windows and Macintosh.
* Adobe Acrobat X (10.1) and earlier for Windows and Macintosh.
* Adobe Acrobat 9.4.5 and earlier for Windows and Macintosh.
* Adobe Acrobat 8.3 and earlier for Windows and Macintosh.

Solution
Apply updates (please see the vendor's advisory for details).
Further details available to Secunia VIM customers

Provided and/or discovered by
1) Paul Sabanal and Mark Yason, IBM X-Force Advanced Research and Zhenhua Liu, Fortinet's Fortiguard Labs.
3-9, 12) binaryproof via ZDI.
9) Hossein Lotfi via Secunia.
11) An anonymous person via iDefense.
14) An anonymous person via iDefense.

The vendor credits:
2) Vladimir Vorontsov, ONsec.
10) James Quirk, Los Alamos.
13) Tavis Ormandy, Google Security Team.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Adobe:
http://www.adobe.com/support/security/bulletins/apsb11-24.html

iDefense Labs:
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=940
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=969

IBM ISS X-Force:
http://xforce.iss.net/xforce/xfdb/69717

FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-30.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-282/
http://www.zerodayinitiative.com/advisories/ZDI-11-283/
http://www.zerodayinitiative.com/advisories/ZDI-11-284/
http://www.zerodayinitiative.com/advisories/ZDI-11-296/
http://www.zerodayinitiative.com/advisories/ZDI-11-297/
http://www.zerodayinitiative.com/advisories/ZDI-11-298/
http://www.zerodayinitiative.com/advisories/ZDI-11-299/
http://www.zerodayinitiative.com/advisories/ZDI-11-300/
http://www.zerodayinitiative.com/advisories/ZDI-11-301/
http://www.zerodayinitiative.com/advisories/ZDI-11-302/
http://www.zerodayinitiative.com/advisories/ZDI-11-310/

Other references
Further details available to Secunia VIM customers

Technical Analysis
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers