Bug 513362 (APSA09-03, CVE-2009-1862)

Adobe Acrobat and Reader CVE-2009-1862 vulnerability:
=====================================================
An user-provided input validation flaw was found in the way Acrobat Reader
used to display certain SWF (Shockwave Flash) content, embedded by
an malicious Flash application in the Portable Document Format (PDF)
file. An attacker could use this flaw to create a PDF file with embedded, specially-crafted SWF content, which once opened by an unsuspecting
user would lead to Adobe Reader crash, or possibly, arbitrary code
execution in the context of user running Adobe Reader.

Affected Adobe Acrobat and Reader versions:
-------------------------------------------
The vulnerability is confirmed in 9.1.2 and earlier 9.x versions
of Adobe Reader and Acrobat.

CVE-2009-1862 vulnerability impact on Adobe Reader 7 and 8:
-----------------------------------------------------------
The affected library "libauthplay.so" for Linux only ships
with Adobe Reader v9.x.  Adobe Reader v8 and earlier do not
ship with this component and do not have the vulnerability.

However, the vulnerability does exist in Adobe Flash Player
v9 and v10.

Adobe Reader v7 and v8 have the ability to play SWF content
by "calling out" to the Flash Player installed on the machine.
This is similar to how Adobe Reader can play .wmv content
via Windows Media Player. 

Temporary workaround, how to mitigate the negative
impact of this flaw in Adobe Reader of versions 7 and 8:
========================================================
The following steps can disable Adobe Reader v8 from
calling out to Adobe Flash Player for playing of SWF content,
embedded in PDF:

    In Adobe Reader, click on Edit -> Preferences Settings ->
    Multimedia Trust -> Permission for Adobe Flash Player ->
    Set drop down to "Never" or "Prompt".




Adobe Flash Player CVE-2009-1862 vulnerability:
===============================================
An user-provided input validation flaw was found in the way Flash Player
displayed certain SWF (Shockwave Flash) content. An attacker could
use this flaw to create a specially-crafted SWF file, which once opened
by an unsuspecting user would lead to Flash Player crash, or possibly,
arbitrary code execution in the context of the user running Flash Player.

Affected Adobe Flash Player versions:
-------------------------------------
The vulnerability is confirmed in 9.0.159.0, 10.0.22.87, and earlier
9.x and 10.x versions of Adobe Flash Player.

Official statement from Adobe Security Team regarding the Flash Player updates:
==============================================================================
We are in the process of developing a fix for the issue, and
expect to provide an update for Flash Player v9 and v10 for
Windows, Macintosh, and Linux by July 30, 2009. 

Temporary workaround, how to mitigate the negative
impact of this flaw in Adobe Flash Player v9 and v10:
=====================================================
There are no known workarounds for Adobe Flash Player.

US-CERT Vulnerability Note VU#259425 recommends the
following steps, how to disable or selectively enable
Flash content by visiting web pages via Mozilla Firefox
web browser (the recommendation overtaken from US-CERT's
"Security Your Web Browser" document):

    http://www.us-cert.gov/reading_room/securing_browser/

Red Hat Security Response Team standpoint:
==========================================
Red Hat Security Response Team is aware of this flaw and is
in contact with Adobe Security Team in order to timely
address it in relevant packages. Once the updated versions
are available, Red Hat will immediately react to overcome
this flaw.

References:
----------
http://www.adobe.com/support/security/advisories/apsa09-03.html
http://www.securityfocus.com/bid/35759/discuss
http://blogs.adobe.com/psirt/2009/07/update_on_adobe_reader_acrobat.html
http://blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html