CVE-2009-3953 — HIGH (8.8) — White Hats Nepal

Q: How severe is CVE-2009-3953?

CVE-2009-3953 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2009-3953?

Check the references section above for vendor advisories and patch information. Affected products include: Adobe Acrobat, Apple Mac Os X, Microsoft Windows, Suse Linux Enterprise Debuginfo, Opensuse Opensuse.

Vulnerability Description

The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4 allows remote attackers to execute arbitrary code via malformed U3D data in a PDF document, related to a CLODProgressiveMeshDeclaration "array boundary issue," a different vulnerability than CVE-2009-2994.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Adobe	Acrobat	>= 7.0, < 7.1.4
Apple	Mac Os X	-
Microsoft	Windows	-
Suse	Linux Enterprise Debuginfo	11
Opensuse	Opensuse	11.1
Suse	Linux Enterprise	10.0

Related Weaknesses (CWE)

CWE-787

References

http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.htmlMailing ListThird Party Advisory
http://osvdb.org/61690Broken Link
http://secunia.com/advisories/38138Broken Link
http://secunia.com/advisories/38215Broken Link
http://www.adobe.com/support/security/bulletins/apsb10-02.htmlNot ApplicablePatchVendor Advisory
http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_u3d_meshdeclThird Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0060.htmlBroken Link
http://www.securityfocus.com/bid/37758Broken LinkThird Party AdvisoryVDB Entry
http://www.securitytracker.com/id?1023446Broken LinkThird Party AdvisoryVDB Entry
http://www.us-cert.gov/cas/techalerts/TA10-013A.htmlThird Party AdvisoryUS Government Resource
http://www.vupen.com/english/advisories/2010/0103Broken LinkVendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=554293Issue Tracking
https://exchange.xforce.ibmcloud.com/vulnerabilities/55551Third Party AdvisoryVDB Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Broken Link
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2009-3953?

CVE-2009-3953 is a vulnerability with a CVSS score of 8.8 (HIGH). The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4 allows remote attackers to execute arbitrary code via malformed U3D data...

How severe is CVE-2009-3953?

CVE-2009-3953 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2009-3953?

Check the references section above for vendor advisories and patch information. Affected products include: Adobe Acrobat, Apple Mac Os X, Microsoft Windows, Suse Linux Enterprise Debuginfo, Opensuse Opensuse.