Adobe has release, the 8 January 2013, during his January Patch Tuesday, one Adobe Reader and Acrobat security bulletin dealing with 27 vulnerabilities. All these security bulletins have a Critical severity rating. 26 of these vulnerabilities have a 10.0 CVSS base score.

APSB13-02 – Security updates available for Adobe Reader and Acrobat

APSB13-02 is concerning :

  • Adobe Reader XI (11.0.0) for Windows and Macintosh
  • Adobe Reader X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.2 and earlier 9.x versions for Windows and Macintosh
  • Adobe Reader 9.5.1 and earlier 9.x versions for Linux
  • Adobe Acrobat XI (11.0.0) for Windows and Macintosh
  • Adobe Acrobat X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.2 and earlier 9.x versions for Windows and Macintosh

CVE-2012-1530 (10.0 CVSS base score), that could lead to code execution, has been discovered and reported by Nicolas Grégoire through iDefense’s Vulnerability Contributor Program.

CVE-2013-0601 (10.0 CVSS base score), CVE-2013-0602 (10.0 CVSS base score), CVE-2013-0605 (10.0 CVSS base score), CVE-2013-0606 (10.0 CVSS base score), CVE-2013-0607 (10.0 CVSS base score), CVE-2013-0608 (10.0 CVSS base score), CVE-2013-0609 (10.0 CVSS base score), CVE-2013-0610 (10.0 CVSS base score), CVE-2013-0611 (10.0 CVSS base score), CVE-2013-0612 (10.0 CVSS base score), CVE-2013-0613 (10.0 CVSS base score), CVE-2013-0614 (10.0 CVSS base score), CVE-2013-0615 (10.0 CVSS base score), CVE-2013-0616 (10.0 CVSS base score), CVE-2013-0617 (10.0 CVSS base score), CVE-2013-0618 (10.0 CVSS base score), CVE-2013-0619 (10.0 CVSS base score), CVE-2013-0620 (10.0 CVSS base score) and CVE-2013-0621 (10.0 CVSS base score), that could lead to code execution, have been discovered and reported by Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team.

CVE-2013-0603 (10.0 CVSS base score), that could lead to code execution, has been discovered and reported by Tom Gallagher of Microsoft and Microsoft Vulnerability Research (MSVR).

CVE-2013-0604 (10.0 CVSS base score), that could lead to code execution, has been discovered and reported by Alexander Gavrun through iDefense’s Vulnerability Contributor Program.

CVE-2013-0622 (10.0 CVSS base score), that could bypass security, has been discovered and reported by Joel Geraci of Practical:PDF.

CVE-2013-0623 (10.0 CVSS base score), that could lead to code execution, has been discovered and reported by Alexander Gavrun through iDefense’s Vulnerability Contributor Program and by David D. Rude II of iDefense Labs.

CVE-2013-0624 (10.0 CVSS base score), that could bypass security, has been discovered and reported by Billy Rios, Federico Lanusse and Mauro Gentile.

CVE-2013-0626 (10.0 CVSS base score), that could bypass security, has been discovered and reported by an unknown security researcher.

CVE-2013-0627 (7.2 CVSS base score), that could lead to local privilege escalation, has been discovered and reported by Myke Hamada, Joost Bakker, Anand Bhat and Timothy McKenzie.