The 2010 Pwnie Nominee For Best Client-Side Bug

Adobe U3D Mesh Declaration Array Overrun (CVE-2009-3953)

Credit: Felipe Andres Manzano

Adobe PDF has been a favorite target of attackers over the last year. Felipe discovered a bug in the U3D file format which affected all recent versions of Adobe Reader. Exploiting it required some very complicated heap manipulation, showing how complex exploitation really is.