Re: ZDI-09-014: Adobe Acrobat getIcon() StackOverflow Vulnerability

[Juha-Matti Laurio <juha-matti.laurio () netti fi>]

Yes, CVE-2009-0927 knows this:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927

It's difficult to say, maybe resource issues or they just wanted to delay when pushing technical details out.

Juha-Matti

Larry Seltzer [larry () larryseltzer com] kirjoitti: 
> It looks like this was fixed in 9.1, the version from a week or two ago. Why wasn't the vulnerability disclosed until 
> now?
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blogs.pcmag.com/securitywatch/
> Contributing Editor, PC Magazine
> larry.seltzer () ziffdavisenterprise com
>
>
> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
> Jeremy Brown
> Sent: Tuesday, March 24, 2009 1:59 PM
> To: full-disclosure () lists grok org uk
> Subject: Re: [Full-disclosure] ZDI-09-014: Adobe Acrobat getIcon() StackOverflow Vulnerability
>
> Maybe Adobe should rethink the word "security". It seems,
> misinterpreted at best, when implemented in most all of their
> products. God help the developers.
>
> On Tue, Mar 24, 2009 at 12:51 PM, ZDI Disclosures
> <zdi-disclosures () tippingpoint com> wrote:
> > ZDI-09-014: Adobe Acrobat getIcon() Stack Overflow Vulnerability
> > http://www.zerodayinitiative.com/advisories/ZDI-09-014
> > March 24, 2009
> >
> > -- CVE ID:
> > CVE-2009-0927
> >
> > -- Affected Vendors:
> > Adobe
> >
> > -- Affected Products:
> > Adobe Acrobat
> >
> > -- TippingPoint(TM) IPS Customer Protection:
> > TippingPoint IPS customers have been protected against this
> > vulnerability by Digital Vaccine protection filter ID 6255.
> > For further product information on the TippingPoint IPS, visit:
> >
> >    http://www.tippingpoint.com
> >
> > -- Vulnerability Details:
> > This vulnerability allows remote attackers to execute arbitrary code on
> > vulnerable installations of Adobe Acrobat and Adobe Reader. User
> > interaction is required in that a user must visit a malicious web site
> > or open a malicious file.
> >
> > The specific flaw exists when processing malicious JavaScript contained
> > in a PDF document. When supplying a specially crafted argument to the
> > getIcon() method of a Collab object, proper bounds checking is not
> > performed resulting in a stack overflow. If successfully exploited full
> > control of the affected machine running under the credentials of the
> > currently logged in user can be achieved.
> >
> > -- Vendor Response:
> > Adobe has issued an update to correct this vulnerability. More
> > details can be found at:
> >
> > http://www.adobe.com/support/security/bulletins/apsb09-04.html
> >
> > -- Disclosure Timeline:
> > 2008-07-03 - Vulnerability reported to vendor
> > 2009-03-24 - Coordinated public release of advisory
> >
> > -- Credit:
> > This vulnerability was discovered by:
> >    * Tenable Network Security
> >
> > -- About the Zero Day Initiative (ZDI):
> > Established by TippingPoint, The Zero Day Initiative (ZDI) represents
> > a best-of-breed model for rewarding security researchers for responsibly
> > disclosing discovered vulnerabilities.
> >
> > Researchers interested in getting paid for their security research
> > through the ZDI can find more information and sign-up at:
> >
> >    http://www.zerodayinitiative.com
> >
> > The ZDI is unique in how the acquired vulnerability information is
> > used. TippingPoint does not re-sell the vulnerability details or any
> > exploit code. Instead, upon notifying the affected product vendor,
> > TippingPoint provides its customers with zero day protection through
> > its intrusion prevention technology. Explicit details regarding the
> > specifics of the vulnerability are not exposed to any parties until
> > an official vendor patch is publicly available. Furthermore, with the
> > altruistic aim of helping to secure a broader user base, TippingPoint
> > provides this vulnerability information confidentially to security
> > vendors (including competitors) who have a vulnerability protection or
> > mitigation product.
> >
> > Our vulnerability disclosure policy is available online at:
> >
> >    http://www.zerodayinitiative.com/advisories/disclosure_policy/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/