lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <A4C427D6FE3D425088F55DEE3D132BF6@unknown>
Date: Fri, 15 Jan 2010 11:01:05 +0100
From: "VUPEN Security Research" <advisories@...en.com>
To: <bugtraq@...urityfocus.com>
Subject: VUPEN Security Research - Adobe Acrobat and Reader U3D Integer Overflow Vulnerability

VUPEN Security Research - Adobe Acrobat and Reader U3D Integer Overflow 
Vulnerability

http://www.vupen.com/english/research.php


I. BACKGROUND
--------------------- 

Adobe Acrobat and Reader are the global standards for electronic document 
sharing.
They are used to create, view, search, digitally sign, verify, print, and
collaborate on Adobe PDF files.


II. DESCRIPTION
--------------------- 

VUPEN Vulnerability Research Team discovered a critical vulnerability
affecting Adobe Acrobat and Reader.

This vulnerability is caused by an integer overflow error in the U3D module
when processing malformed data, which could be exploited by attackers to
execute arbitrary code by tricking a user into opening a specially crafted
PDF document.


III. AFFECTED PRODUCTS
--------------------------------

Adobe Reader version 9.2 and prior
Adobe Acrobat version 9.2 and prior


IV. Exploits - PoCs & Binary Analysis
----------------------------------------

In-depth binary analysis of the vulnerability and a code execution
exploit have been released by VUPEN Security through the
VUPEN Exploits & PoCs Service :

http://www.vupen.com/exploits


V. SOLUTION
---------------- 

Upgrade to version 9.3 or 8.2.


VI. CREDIT
-------------- 

The vulnerability was discovered by Nicolas JOLY of VUPEN Security


VII. ABOUT VUPEN Security
---------------------------------

VUPEN is a leading IT security research company providing vulnerability
management services to allow enterprises and organizations to eliminate
vulnerabilities before they can be exploited, ensure security policy
compliance and meaningfully measure and manage risks.

VUPEN also provides research services for security vendors (antivirus,
IDS, IPS,etc) to supplement their internal vulnerability research efforts
and quickly develop vulnerability-based and exploit-based signatures,
rules, and filters, and proactively protect their customers against
potential threats.

* VUPEN Vulnerability Notification Service:

http://www.vupen.com/english/services

* VUPEN Exploits and In-Depth Vulnerability Analysis:

http://www.vupen.com/exploits


VIII. REFERENCES
----------------------

http://www.vupen.com/english/advisories/2010/0103
http://www.adobe.com/support/security/bulletins/apsb10-02.html


IX. DISCLOSURE TIMELINE
----------------------------------- 

2009-11-06 - Vendor notified
2009-11-06 - Vendor response
2009-12-10 - Status update received
2010-01-07 - Status update received
2009-01-13 - Coordinated public Disclosure



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ