lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <6708A4A52D45436380CE5410DF617590@othello>
Date: Tue, 24 Mar 2009 21:25:09 -0400
From: "Mike N." <niceman@....net>
To: "Larry Seltzer" <larry@...ryseltzer.com>,
	"Jeremy Brown" <0xjbrown41@...il.com>, <full-disclosure@...ts.grok.org.uk>
Subject: Re: ZDI-09-014: Adobe Acrobat
	getIcon()StackOverflow Vulnerability

Perhaps to give the rest of the world a few hours to roll out patches and 
test?   It's doubtful that delaying the disclosure by a week created an 
unsafe situation.

--------------------------------------------------
From: "Larry Seltzer" <larry@...ryseltzer.com>
Sent: Tuesday, March 24, 2009 2:14 PM
To: "Jeremy Brown" <0xjbrown41@...il.com>; 
<full-disclosure@...ts.grok.org.uk>
Subject: Re: [Full-disclosure] ZDI-09-014: Adobe Acrobat 
getIcon()StackOverflow Vulnerability

> It looks like this was fixed in 9.1, the version from a week or two ago. 
> Why wasn't the vulnerability disclosed until now?
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blogs.pcmag.com/securitywatch/
> Contributing Editor, PC Magazine
> larry.seltzer@...fdavisenterprise.com
>
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk 
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Jeremy 
> Brown
> Sent: Tuesday, March 24, 2009 1:59 PM
> To: full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] ZDI-09-014: Adobe Acrobat getIcon() 
> StackOverflow Vulnerability
>
> Maybe Adobe should rethink the word "security". It seems,
> misinterpreted at best, when implemented in most all of their
> products. God help the developers.
>
> On Tue, Mar 24, 2009 at 12:51 PM, ZDI Disclosures
> <zdi-disclosures@...pingpoint.com> wrote:
>> ZDI-09-014: Adobe Acrobat getIcon() Stack Overflow Vulnerability
>> http://www.zerodayinitiative.com/advisories/ZDI-09-014
>> March 24, 2009
>>
>> -- CVE ID:
>> CVE-2009-0927
>>
>> -- Affected Vendors:
>> Adobe
>>
>> -- Affected Products:
>> Adobe Acrobat
>>
>> -- TippingPoint(TM) IPS Customer Protection:
>> TippingPoint IPS customers have been protected against this
>> vulnerability by Digital Vaccine protection filter ID 6255.
>> For further product information on the TippingPoint IPS, visit:
>>
>> http://www.tippingpoint.com
>>
>> -- Vulnerability Details:
>> This vulnerability allows remote attackers to execute arbitrary code on
>> vulnerable installations of Adobe Acrobat and Adobe Reader. User
>> interaction is required in that a user must visit a malicious web site
>> or open a malicious file.
>>
>> The specific flaw exists when processing malicious JavaScript contained
>> in a PDF document. When supplying a specially crafted argument to the
>> getIcon() method of a Collab object, proper bounds checking is not
>> performed resulting in a stack overflow. If successfully exploited full
>> control of the affected machine running under the credentials of the
>> currently logged in user can be achieved.
>>
>> -- Vendor Response:
>> Adobe has issued an update to correct this vulnerability. More
>> details can be found at:
>>
>> http://www.adobe.com/support/security/bulletins/apsb09-04.html
>>
>> -- Disclosure Timeline:
>> 2008-07-03 - Vulnerability reported to vendor
>> 2009-03-24 - Coordinated public release of advisory
>>
>> -- Credit:
>> This vulnerability was discovered by:
>> * Tenable Network Security
>>
>> -- About the Zero Day Initiative (ZDI):
>> Established by TippingPoint, The Zero Day Initiative (ZDI) represents
>> a best-of-breed model for rewarding security researchers for responsibly
>> disclosing discovered vulnerabilities.
>>
>> Researchers interested in getting paid for their security research
>> through the ZDI can find more information and sign-up at:
>>
>> http://www.zerodayinitiative.com
>>
>> The ZDI is unique in how the acquired vulnerability information is
>> used. TippingPoint does not re-sell the vulnerability details or any
>> exploit code. Instead, upon notifying the affected product vendor,
>> TippingPoint provides its customers with zero day protection through
>> its intrusion prevention technology. Explicit details regarding the
>> specifics of the vulnerability are not exposed to any parties until
>> an official vendor patch is publicly available. Furthermore, with the
>> altruistic aim of helping to secure a broader user base, TippingPoint
>> provides this vulnerability information confidentially to security
>> vendors (including competitors) who have a vulnerability protection or
>> mitigation product.
>>
>> Our vulnerability disclosure policy is available online at:
>>
>> http://www.zerodayinitiative.com/advisories/disclosure_policy/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ