Red Hat Bugzilla – Bug 513362
CVE-2009-1862 acroread, flash-plugin: Remote code execution vulnerability via malicious SWF (Shockwave Flash) content
Last modified: 2009-08-13 06:11:19 EDT
Adobe Acrobat and Reader CVE-2009-1862 vulnerability: ===================================================== An user-provided input validation flaw was found in the way Acrobat Reader used to display certain SWF (Shockwave Flash) content, embedded by an malicious Flash application in the Portable Document Format (PDF) file. An attacker could use this flaw to create a PDF file with embedded, specially-crafted SWF content, which once opened by an unsuspecting user would lead to Adobe Reader crash, or possibly, arbitrary code execution in the context of user running Adobe Reader. Affected Adobe Acrobat and Reader versions: ------------------------------------------- The vulnerability is confirmed in 9.1.2 and earlier 9.x versions of Adobe Reader and Acrobat. CVE-2009-1862 vulnerability impact on Adobe Reader 7 and 8: ----------------------------------------------------------- The affected library "libauthplay.so" for Linux only ships with Adobe Reader v9.x. Adobe Reader v8 and earlier do not ship with this component and do not have the vulnerability. However, the vulnerability does exist in Adobe Flash Player v9 and v10. Adobe Reader v7 and v8 have the ability to play SWF content by "calling out" to the Flash Player installed on the machine. This is similar to how Adobe Reader can play .wmv content via Windows Media Player. Temporary workaround, how to mitigate the negative impact of this flaw in Adobe Reader of versions 7 and 8: ======================================================== The following steps can disable Adobe Reader v8 from calling out to Adobe Flash Player for playing of SWF content, embedded in PDF: In Adobe Reader, click on Edit -> Preferences Settings -> Multimedia Trust -> Permission for Adobe Flash Player -> Set drop down to "Never" or "Prompt". Adobe Flash Player CVE-2009-1862 vulnerability: =============================================== An user-provided input validation flaw was found in the way Flash Player displayed certain SWF (Shockwave Flash) content. An attacker could use this flaw to create a specially-crafted SWF file, which once opened by an unsuspecting user would lead to Flash Player crash, or possibly, arbitrary code execution in the context of the user running Flash Player. Affected Adobe Flash Player versions: ------------------------------------- The vulnerability is confirmed in 9.0.159.0, 10.0.22.87, and earlier 9.x and 10.x versions of Adobe Flash Player. Official statement from Adobe Security Team regarding the Flash Player updates: ============================================================================== We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009. Temporary workaround, how to mitigate the negative impact of this flaw in Adobe Flash Player v9 and v10: ===================================================== There are no known workarounds for Adobe Flash Player. US-CERT Vulnerability Note VU#259425 recommends the following steps, how to disable or selectively enable Flash content by visiting web pages via Mozilla Firefox web browser (the recommendation overtaken from US-CERT's "Security Your Web Browser" document): http://www.us-cert.gov/reading_room/securing_browser/ Red Hat Security Response Team standpoint: ========================================== Red Hat Security Response Team is aware of this flaw and is in contact with Adobe Security Team in order to timely address it in relevant packages. Once the updated versions are available, Red Hat will immediately react to overcome this flaw. References: ---------- http://www.adobe.com/support/security/advisories/apsa09-03.html http://www.securityfocus.com/bid/35759/discuss http://blogs.adobe.com/psirt/2009/07/update_on_adobe_reader_acrobat.html http://blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html
MITRE's CVE-2009-1862 record: Unspecified vulnerability in Adobe Reader and Acrobat 9.x through 9.1.2, and Adobe Flash Player 9.x through 9.0.159.0 and 10.x through 10.0.22.87, allows remote attackers to execute arbitrary code via (1) a crafted Flash application in a .pdf file or (2) a crafted .swf file, related to authplay.dll, as exploited in the wild in July 2009. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1862 http://blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html http://bugs.adobe.com/jira/browse/FP-1265 http://isc.sans.org/diary.html?storyid=6847 http://news.cnet.com/8301-27080_3-10293389-245.html http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-072209-2512-99 http://www.symantec.com/connect/blogs/next-generation-flash-vulnerability http://www.kb.cert.org/vuls/id/259425 http://www.securityfocus.com/bid/35759
Note: An exact duplicate CVE identifier of CVE-2009-2580 has been also assigned to this vulnerability.
Fixed now in Adobe Flash Player 9.0.246.0 and 10.0.32.18: http://www.adobe.com/support/security/bulletins/apsb09-10.html
This issue has been addressed in following products: Extras for RHEL 3 Extras for RHEL 4 Via RHSA-2009:1189 https://rhn.redhat.com/errata/RHSA-2009-1189.html
This issue has been addressed in following products: Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1188 https://rhn.redhat.com/errata/RHSA-2009-1188.html