VUPEN Security Research - Adobe Acrobat and Reader U3D Integer Overflow Vulnerability

2010-01-17T00:00:00
ID SECURITYVULNS:DOC:23042
Type securityvulns
Reporter Securityvulns
Modified 2010-01-17T00:00:00

Description

VUPEN Security Research - Adobe Acrobat and Reader U3D Integer Overflow Vulnerability

http://www.vupen.com/english/research.php

I. BACKGROUND

Adobe Acrobat and Reader are the global standards for electronic document sharing. They are used to create, view, search, digitally sign, verify, print, and collaborate on Adobe PDF files.

II. DESCRIPTION

VUPEN Vulnerability Research Team discovered a critical vulnerability affecting Adobe Acrobat and Reader.

This vulnerability is caused by an integer overflow error in the U3D module when processing malformed data, which could be exploited by attackers to execute arbitrary code by tricking a user into opening a specially crafted PDF document.

III. AFFECTED PRODUCTS

Adobe Reader version 9.2 and prior Adobe Acrobat version 9.2 and prior

IV. Exploits - PoCs & Binary Analysis

In-depth binary analysis of the vulnerability and a code execution exploit have been released by VUPEN Security through the VUPEN Exploits & PoCs Service :

http://www.vupen.com/exploits

V. SOLUTION

Upgrade to version 9.3 or 8.2.

VI. CREDIT

The vulnerability was discovered by Nicolas JOLY of VUPEN Security

VII. ABOUT VUPEN Security

VUPEN is a leading IT security research company providing vulnerability management services to allow enterprises and organizations to eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage risks.

VUPEN also provides research services for security vendors (antivirus, IDS, IPS,etc) to supplement their internal vulnerability research efforts and quickly develop vulnerability-based and exploit-based signatures, rules, and filters, and proactively protect their customers against potential threats.

  • VUPEN Vulnerability Notification Service:

http://www.vupen.com/english/services

  • VUPEN Exploits and In-Depth Vulnerability Analysis:

http://www.vupen.com/exploits

VIII. REFERENCES

http://www.vupen.com/english/advisories/2010/0103 http://www.adobe.com/support/security/bulletins/apsb10-02.html

IX. DISCLOSURE TIMELINE

2009-11-06 - Vendor notified 2009-11-06 - Vendor response 2009-12-10 - Status update received 2010-01-07 - Status update received 2009-01-13 - Coordinated public Disclosure