Public Vulnerability Reports

Adobe Acrobat and Reader U3D File Invalid Array Index Vulnerability



Adobe Acrobat Reader/Acrobat are programs for viewing and editing Portable Document Format (PDF) documents. For more information, see the vendor's site found at the following link.


Remote exploitation of an invalid array index vulnerability in Adobe Systems Inc.'s Reader and Acrobat could allow an attacker to execute arbitrary code with the privileges of the current user.

The vulnerability occurs when parsing a U3D file embedded inside of a PDF. U3D is a file format used to represent 3D images.

When parsing a U3D file, the parsing code fails to validate a value from the file used as index into a list of objects. This results in an attacker being able to specify an arbitrary value for a function pointer, which leads to the execution of arbitrary code.


Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. If the Adobe Reader browser plugin is enabled (this is the default setting), then this vulnerability can be exploited automatically by simply visiting a malicious webpage with an embedded PDF. If the browser plugin is disabled, an attacker needs to convince a user to open a malicious file.


iDefense confirmed the existence of this vulnerability in Reader and Acrobat versions 9.1.3 and 8.1.6. Previous versions may also be affected.


A possible mitigation is to prevent Adobe Reader/Acrobat from opening files directly in the browser. If this functionality is disabled, then the user will have to open the file via the 'Open' button (or save it and open it later manually) if it is embedded in a webpage.

Additionally, disabling JavaScript in Adobe Reader/Acrobat will make the vulnerability more difficult to exploit in a reliable fashion.


Adobe has addressed this issue with an update. Further details and patches can be found at the following URL.


The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-2990 to this issue. This is a candidate for inclusion in the CVE list (, which standardizes names for security problems.


06/09/2009 Initial vendor notification
06/09/2009 Initial vendor response
10/13/2009 Public disclosure


This vulnerability was reported to iDefense by Dionysus Blazakis.

Get paid for vulnerability research

Free tools, research and upcoming events


Copyright © 2009 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.