Some vulnerabilities have been reported in Adobe Reader and Acrobat, which can be exploited by malicious people to conduct cross-site scripting attacks or compromise a user's system.
NOTE: This vulnerability is currently being actively exploited.
2) An array indexing error exists in 3difr.x3d when processing U3D CLOD Mesh Declaration blocks. This can potentially be exploited to corrupt memory and execute arbitrary code via a PDF file containing a specially crafted U3D model.
3) An error in the 3D implementation when loading DLLs can be exploited to potentially execute arbitrary code.
4) A sign extension error exists when processing a Jp2c stream of a JpxDecode data stream. This can be exploited to corrupt memory and potentially execute arbitrary code via a specially crafted JPC_MS_RGN marker.
6) An integer overflow error in the U3D implementation can be exploited to potentially execute arbitrary code.
The vulnerabilities are reported in version 9.2 and prior.
Provided and/or discovered by: 1) Reported as a 0-day.
2) Originally reported by Felipe Andres Manzano in versions prior to 9.2. Reported in version 9.2 by Parvez Anwar.
4) Code Audit Labs, reported via iDefense
5) Paul Theriault, stratsec
The vendor also credits:
3) Greg MacManus of iSIGHT Partners Labs
6) Nicolas Joly of Vupen
Original Advisory: Adobe:
Felipe Andres Manzano:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to email@example.com