Advisory Title: Adobe Acrobat Reader DC ANShareFile2 Javascript API Restrictions Bypass Vulnerability Identifier: - ZDI-15-500 - ZDI-CAN-3084 CVE ID: CVE-2015-7619 CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Affected Vendors: Adobe Affected Products: Acrobat Reader DC Vulnerability Details: - Allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader DC - Requires user interaction to exploit (visiting a malicious page or opening a malicious file) - Flaw exists within the ANShareFile2 method, can be bypassed with crafted PDF containing specific JavaScript instructions Additional Details: - Adobe released an update to correct the vulnerability, more information at Adobe's security advisory Disclosure Timeline: - 2015-07-27: Vulnerability reported to vendor - 2015-10-13: Coordinated public release of advisory Credit: Matt Molinyawe and Jasiel Spelman of HP Zero Day Initiative