Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-191: Vulnerability in Adobe Acrobat, Reader, and Flash Player

July 23, 2009 13:00 GMT
PROBLEM: Vulnerability in Adobe Flash allows remote code execution.
PLATFORM: Adobe Reader 9.1.2 Adobe Flash Player 9 Adobe Flash Player 10 Adobe Acrobat Standard 9.1.2 Adobe Acrobat Professional 9.1.2
ABSTRACT: An attacker can exploit this issue by supplying a malicious Flash ('.swf') file or by embedding a malicious Flash application in a PDF file or web page. Successful exploits may allow the attacker to execute arbitrary code in the context of the user running the affected application.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-191.shtml
  OTHER LINKS: Security Focus Website
http://www.securityfocus.com/bid/35759/info
Adobe Website
http://blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html
IMPACT ASSESSMENT: This risk is high. Adobe Flash is widely deployed on a wide variety of platforms. Vulnerability is being exploited in the wild through infected PDF's and web sites (drive by exploitation). Some legitimate web sites have been compromised and altered to exploit this vulnerability. 
Discussion:
dobe Acrobat, Reader, and Flash Player are prone to a remote code-execution vulnerability.

An attacker can exploit this issue by supplying a malicious Flash ('.swf') file or by embedding a malicious Flash application in a PDF file. Successful exploits may allow the attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions.

The issue affects the following:

Reader and Acrobat 9.1.2
Flash Player 9 and 10

Solution:
There is no vendor patch at the present time.

Workaround:
We are not aware of a satisfactory solution to this problem.
Disabling java script will not prevent exploitation of this vulnerability. 
Firefox users can use Noscript to disable Flash. This will not protect against malicious code in Adobe Reader or Acrobat.
Users can disable Flash in their web browser and also disable Flash and 3D & Multimedia support in Reader and Acrobat. USCERT has instructions at this url: 
http://www.kb.cert.org/vuls/id/259425
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788