Yes, CVE-2009-0927 knows this: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927
It's difficult to say, maybe resource issues or they just wanted to delay when pushing technical details out. Juha-Matti Larry Seltzer [[email protected]] kirjoitti: > It looks like this was fixed in 9.1, the version from a week or two ago. Why > wasn't the vulnerability disclosed until now? > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blogs.pcmag.com/securitywatch/ > Contributing Editor, PC Magazine > [email protected] > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Jeremy Brown > Sent: Tuesday, March 24, 2009 1:59 PM > To: [email protected] > Subject: Re: [Full-disclosure] ZDI-09-014: Adobe Acrobat getIcon() > StackOverflow Vulnerability > > Maybe Adobe should rethink the word "security". It seems, > misinterpreted at best, when implemented in most all of their > products. God help the developers. > > On Tue, Mar 24, 2009 at 12:51 PM, ZDI Disclosures > <[email protected]> wrote: > > ZDI-09-014: Adobe Acrobat getIcon() Stack Overflow Vulnerability > > http://www.zerodayinitiative.com/advisories/ZDI-09-014 > > March 24, 2009 > > > > -- CVE ID: > > CVE-2009-0927 > > > > -- Affected Vendors: > > Adobe > > > > -- Affected Products: > > Adobe Acrobat > > > > -- TippingPoint(TM) IPS Customer Protection: > > TippingPoint IPS customers have been protected against this > > vulnerability by Digital Vaccine protection filter ID 6255. > > For further product information on the TippingPoint IPS, visit: > > > > http://www.tippingpoint.com > > > > -- Vulnerability Details: > > This vulnerability allows remote attackers to execute arbitrary code on > > vulnerable installations of Adobe Acrobat and Adobe Reader. User > > interaction is required in that a user must visit a malicious web site > > or open a malicious file. > > > > The specific flaw exists when processing malicious JavaScript contained > > in a PDF document. When supplying a specially crafted argument to the > > getIcon() method of a Collab object, proper bounds checking is not > > performed resulting in a stack overflow. If successfully exploited full > > control of the affected machine running under the credentials of the > > currently logged in user can be achieved. > > > > -- Vendor Response: > > Adobe has issued an update to correct this vulnerability. More > > details can be found at: > > > > http://www.adobe.com/support/security/bulletins/apsb09-04.html > > > > -- Disclosure Timeline: > > 2008-07-03 - Vulnerability reported to vendor > > 2009-03-24 - Coordinated public release of advisory > > > > -- Credit: > > This vulnerability was discovered by: > > * Tenable Network Security > > > > -- About the Zero Day Initiative (ZDI): > > Established by TippingPoint, The Zero Day Initiative (ZDI) represents > > a best-of-breed model for rewarding security researchers for responsibly > > disclosing discovered vulnerabilities. > > > > Researchers interested in getting paid for their security research > > through the ZDI can find more information and sign-up at: > > > > http://www.zerodayinitiative.com > > > > The ZDI is unique in how the acquired vulnerability information is > > used. TippingPoint does not re-sell the vulnerability details or any > > exploit code. Instead, upon notifying the affected product vendor, > > TippingPoint provides its customers with zero day protection through > > its intrusion prevention technology. Explicit details regarding the > > specifics of the vulnerability are not exposed to any parties until > > an official vendor patch is publicly available. Furthermore, with the > > altruistic aim of helping to secure a broader user base, TippingPoint > > provides this vulnerability information confidentially to security > > vendors (including competitors) who have a vulnerability protection or > > mitigation product. > > > > Our vulnerability disclosure policy is available online at: > > > > http://www.zerodayinitiative.com/advisories/disclosure_policy/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
