Perhaps to give the rest of the world a few hours to roll out patches and test? It's doubtful that delaying the disclosure by a week created an unsafe situation.
-------------------------------------------------- From: "Larry Seltzer" <[email protected]> Sent: Tuesday, March 24, 2009 2:14 PM To: "Jeremy Brown" <[email protected]>; <[email protected]> Subject: Re: [Full-disclosure] ZDI-09-014: Adobe Acrobat getIcon()StackOverflow Vulnerability > It looks like this was fixed in 9.1, the version from a week or two ago. > Why wasn't the vulnerability disclosed until now? > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blogs.pcmag.com/securitywatch/ > Contributing Editor, PC Magazine > [email protected] > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Jeremy > Brown > Sent: Tuesday, March 24, 2009 1:59 PM > To: [email protected] > Subject: Re: [Full-disclosure] ZDI-09-014: Adobe Acrobat getIcon() > StackOverflow Vulnerability > > Maybe Adobe should rethink the word "security". It seems, > misinterpreted at best, when implemented in most all of their > products. God help the developers. > > On Tue, Mar 24, 2009 at 12:51 PM, ZDI Disclosures > <[email protected]> wrote: >> ZDI-09-014: Adobe Acrobat getIcon() Stack Overflow Vulnerability >> http://www.zerodayinitiative.com/advisories/ZDI-09-014 >> March 24, 2009 >> >> -- CVE ID: >> CVE-2009-0927 >> >> -- Affected Vendors: >> Adobe >> >> -- Affected Products: >> Adobe Acrobat >> >> -- TippingPoint(TM) IPS Customer Protection: >> TippingPoint IPS customers have been protected against this >> vulnerability by Digital Vaccine protection filter ID 6255. >> For further product information on the TippingPoint IPS, visit: >> >> http://www.tippingpoint.com >> >> -- Vulnerability Details: >> This vulnerability allows remote attackers to execute arbitrary code on >> vulnerable installations of Adobe Acrobat and Adobe Reader. User >> interaction is required in that a user must visit a malicious web site >> or open a malicious file. >> >> The specific flaw exists when processing malicious JavaScript contained >> in a PDF document. When supplying a specially crafted argument to the >> getIcon() method of a Collab object, proper bounds checking is not >> performed resulting in a stack overflow. If successfully exploited full >> control of the affected machine running under the credentials of the >> currently logged in user can be achieved. >> >> -- Vendor Response: >> Adobe has issued an update to correct this vulnerability. More >> details can be found at: >> >> http://www.adobe.com/support/security/bulletins/apsb09-04.html >> >> -- Disclosure Timeline: >> 2008-07-03 - Vulnerability reported to vendor >> 2009-03-24 - Coordinated public release of advisory >> >> -- Credit: >> This vulnerability was discovered by: >> * Tenable Network Security >> >> -- About the Zero Day Initiative (ZDI): >> Established by TippingPoint, The Zero Day Initiative (ZDI) represents >> a best-of-breed model for rewarding security researchers for responsibly >> disclosing discovered vulnerabilities. >> >> Researchers interested in getting paid for their security research >> through the ZDI can find more information and sign-up at: >> >> http://www.zerodayinitiative.com >> >> The ZDI is unique in how the acquired vulnerability information is >> used. TippingPoint does not re-sell the vulnerability details or any >> exploit code. Instead, upon notifying the affected product vendor, >> TippingPoint provides its customers with zero day protection through >> its intrusion prevention technology. Explicit details regarding the >> specifics of the vulnerability are not exposed to any parties until >> an official vendor patch is publicly available. Furthermore, with the >> altruistic aim of helping to secure a broader user base, TippingPoint >> provides this vulnerability information confidentially to security >> vendors (including competitors) who have a vulnerability protection or >> mitigation product. >> >> Our vulnerability disclosure policy is available online at: >> >> http://www.zerodayinitiative.com/advisories/disclosure_policy/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
