Adobe Acrobat and Adobe Flash Remote Code Execution

Notification Type: IBM Internet Security Systems Protection Alert
Notification Date: July 22, 2009
Notification Version: 1.1
   
Name: Adobe Acrobat and Adobe Flash Remote Code Execution
Public disclosure/
In the wild date:

July 21, 2009 0-day exploitation discovered and public vuln disclosure
CVE: CVE-2009-1862
Description:

A vulnerability in Adobe Acrobat, Adobe Reader, and Adobe Flash can result in remote code execution.

This vulnerability was made public upon discovery that it was being exploited in the wild on July 21, 2009.

 

ISS Coverage
Product Content Version
Network Sensor 7.0
Proventia A
Proventia IPS (G/GX)
Server Sensor 7.0
Proventia Multifunction Appliance
Proventia Server (Linux)		 29.060
Proventia Server (Windows)
Proventia Desktop		 2400
Propagation Techniques ISS Protection Available
remote exploit

JavaScript_Obfuscation_Fre

June 9, 2009

See other protection details below.

JavaScript_Obfuscation_Fre triggers on the HTML page of the widespread in-the-wild sample that has been captured by X-Force.  Other protection mechanisms are under investigation.

Detailed Description
Business Impact:

This vulnerability could result in remote code execution if a victim opens a specially-crafted movie.  In some cases, these movies have been seen embedded in an Adobe Acrobat (.pdf) document.  Adobe Acrobat, Adobe Reader, and Adobe Flash are vulnerable and, at the time of publication, had no patch available.  Links to these malicious documents and movies can easily be sent through spam or through links on seemingly non-malicious Web sites.

*CVSS: Base Score: 9.3
  Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
Adjusted Temporal Score: 8.8
  Exploitability: High
Remediation Level: Workaround
Report Confidence: Confirmed
Affected Products: For a full list of affected versions, see references below.
Technical Description:

The Adobe Reader, Adobe Acrobat, and Adobe Flash could allow a remote attacker to execute arbitrary code on the system, caused by an error related to the handling of Flash files, including Flash files embedded in PDFs. By persuading a victim to click a malicious Web page or open a malicious file, a remote attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system with the privileges of the victim.

Remediation:

As of the publication of this alert, no patches were available.  Customers can  deploy security products to block exploits.

References
Adobe: http://blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html
InfoSecBlog: http://www.infosecblog.org/2009/07/flash-zero-day.html
XFDB: http://xforce.iss.net/xforce/xfdb/51954

Revision History
1.0 Initial publication.
1.1 Added CVE and XFDB reference.

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Security Systems

IBM Security Systems include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure, empowering clients to innovate and operate their businesses on the most secure infrastructure platforms. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. For more information on how to address today's biggest risks, please visit us at ibm.com/security.