| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Oct 2009 14:20:44 +0200 From: "VUPEN Security Research" <advisories@...en.com> To: <bugtraq@...urityfocus.com> Subject: VUPEN Security - Adobe Acrobat and Reader U3D Filter Code Execution Vulnerabilities VUPEN Vulnerability Research - Adobe Acrobat and Reader U3D Filter Code Execution Vulnerabilities I. BACKGROUND --------------------- Adobe Acrobat is a family of computer programs developed by Adobe Systems, designed to view, create, manipulate and manage files in Adobe's Portable Document Format (PDF). II. DESCRIPTION --------------------- VUPEN Vulnerability Research Team discovered three critical vulnerabilities affecting Adobe Acrobat and Reader. These vulnerabilities are caused by memory corruption errors within the U3D filter when processing malformed data in a PDF file, which could allow attackers to execute arbitrary code by tricking a user into opening a specially crafted PDF document. VUPEN-SR-2009-11 - Adobe U3D Pointer Overwrite Vulnerability VUPEN-SR-2009-10 - Adobe U3D Uninitialized Pointer Vulnerability VUPEN-SR-2009-09 - Adobe U3D Heap Corruption Vulnerability III. AFFECTED PRODUCTS -------------------------------- Adobe Reader version 9.1.3 and prior Adobe Reader version 8.1.6 and prior Adobe Reader version 7.1.3 and prior Adobe Acrobat version 9.1.3 and prior Adobe Acrobat version 8.1.6 and prior Adobe Acrobat version 7.1.3 and prior IV. Exploits - PoCs & Binary Analysis -------------------------------------- Fully functional code execution exploits have been developed by VUPEN Security and are available with in-depth binary analysis of the vulnerabilities through the VUPEN Exploits & PoCs Service. http://www.vupen.com/exploits V. SOLUTION ---------------- Upgrade to Adobe Acrobat and Reader versions 9.2, 8.1.7, or 7.1.4 : http://www.adobe.com/support/security/bulletins/apsb09-07.html VI. CREDIT -------------- The vulnerabilities were discovered by Nicolas JOLY of VUPEN Security VII. REFERENCES ---------------------- http://www.vupen.com/english/research.php http://www.adobe.com/support/security/bulletins/apsb09-15.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2997 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2998 VIII. DISCLOSURE TIMELINE ----------------------------------- 2009-07-17 - Vendor notified 2009-07-18 - Vendor response 2009-10-07 - Status update received 2009-10-13 - Coordinated public Disclosure
Powered by blists - more mailing lists