A memory corruption flaw exists in Adobe Reader and Acrobat. The program fails to sanitize user-supplied input in the 2d.x3d module, when handling BMP files. With a specially crafted file, a context-dependent attacker may cause memory corruption. This may allow a remote attacker to execute arbitrary code.

Upgrade to version 9.5 or higher or 10.1.2 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1026496
• OVAL ID: 14615
• CVE ID: 2011-4373 (see also: NVD)
• SCIP VulDB ID: 4540
• Secunia Advisory ID: 45852 49667
• Bugtraq ID: 51350
• Related OSVDB ID: 78245 78246 78247
• Mail List Post: http://seclists.org/bugtraq/2012/Feb/38
• Vendor Specific News/Changelog Entry: http://security.gentoo.org/glsa/glsa-201206-14.xml
  http://www.adobe.com/support/security/bulletins/apsb12-01.html
• Other Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-12-021

• Alin Rad Pop - Zero Day Initiative (ZDI)