MA-183.072009: MyCERT Alert - Critical Vulnerability in Adobe Acrobat and Adobe Flash

1.0 Introduction

A critical vulnerability has been identified in Adobe Reader, Adobe Acrobat 9.1.2, Adobe Flash Player 9 and Adobe Flash Player 10. This vulnerability allows remote attackers to execute arbitrary code on vulnerable version of Adobe Acrobat, Adobe Reader and Adobe Flash Player. User interaction is required in that a user must visit a malicious web site or open a Portable Document Format (PDF) file that embedded with a specially crafted Flash (SWF) file. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.

MyCERT is aware that a '0-day' exploit is being available in the wild and actively being used by the attacker.

2.0 Impact

By exploiting this vulnerability, an attacker could execute arbitrary code on vulnerable installations of Adobe Acrobat, Adobe Reader and Adobe Flash Player and gain the same privilege as the user. This vulnerability could be exploited to install malware on the user's computer.

3.0 Affected Products

Products listed below are vulnerable to this vulnerability:

• Adobe Acrobat 9.1.2
• Adobe Reader 9.1.2
• Adobe Flash Player 10.0.22.87
• Adobe Flash Player 9.0.124.0

4.0 Recommendation

At the time of this writing, Adobe has not released any patches to address this vulnerability. However, users are recommended to disable Flash support in the web browser and disable Flash and 3D & Multimedia support in Adobe Reader.

To disable the Adobe Flash Player support in the browser:

• For Internet Explorer user, download and install Toggle Flash plugin http://flash.melameth.com and allow or unblock Flash content only trusted site.
  
  
• For Mozilla Firefox user, download and install FlashBlock plugin from http://flashblock.mozdev.org/ and allow or unblock Flash content only trusted site.

To disable Flash and 3D & Multimedia support in Adobe Reader:

• For Microsoft Windows, delete or rename these files:
  
  • "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll"
  • "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll"
    
    
• For Apple Mac OS X, delete or rename these files:
  
  • "/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle"
  • "/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/Adobe3D.framework"
    
    
• For GNU/Linux delete or rename these files (locations may vary among distributions):
  
  • "/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so"
  • "/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so"

Users are also recommended to browse the Internet with least privilege user to limit the execution of the malicious file and do not open attachment or browse to unknown website received via email from unknown person or unexpected.

MyCERT generally advise users of this product to keep themselves updated with the latest security announcements by the vendor. In case of public received any suspicious URL, SWF or PDF and required our further analysis, please reach us at information below:

E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

• http://blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html
• http://www.kb.cert.org/vuls/id/259425
• http://www.iss.net/threats/336.html
• http://www.avertlabs.com/research/blog/index.php/2009/07/22/new-0-day-attacks-using-pdf-documents/