Executive Summary
Summary | |
---|---|
Title | Adobe Acrobat and Reader contain a use-after-free vulnerability in the JavaScript Doc.media.newPlayer method |
Informations | |||
---|---|---|---|
Name | VU#508357 | First vendor Publication | 2009-12-15 |
Vendor | VU-CERT | Last vendor Modification | 2010-06-18 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#508357Adobe Acrobat and Reader contain a use-after-free vulnerability in the JavaScript Doc.media.newPlayer methodOverviewThe Doc.media.newPlayer method in Adobe Acrobat and Reader contains a use-after-free vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.I. DescriptionAdobe Reader and the Adobe Acrobat family of software are designed to create, view, and edit Portable Document Format (PDF) files. Adobe Reader is widely deployed, and the Acrobat Reader Plug-In displays PDF inside a web browser.Adobe Reader and Acrobat support JavaScript. The newplayer() method of the Doc.media object contains a use-after-free vulnerability, which can result in an exploitable memory access violation. This vulnerability is currently being exploited in the wild. Exploit code for this vulnerability is publicly available. This issue is addressed in Adobe Reader 9.3 and 8.2. Please see Adobe Security Bulletin APSB10-02 for details. Please also consider the following workarounds:
Prevent Internet Explorer from automatically opening PDF documents The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:
[HKEY_CLASSES_ROOTAcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Preventing PDF documents from opening inside a web browser reduces attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities. To prevent PDF documents from automatically being opened in a web browser with Adobe Reader:
This specific vulnerability can be mitigated by blocking the use of the newPlayer() method through use of the Adobe Reader and Acrobat JavaScript Blacklist Framework. Windows users can obtain a ZIP file of .REG files that disable the newPlayer() method of the Doc.media object. Upon opening a PDF that attempts to use this method, Adobe Reader and Acrobat will warn the user that a JavaScript that the document uses is disabled for security reasons. Mac and Linux users should see the Blacklist Framework document for details about how to implement the workaround. Systems Affected
Referenceshttp://www.adobe.com/support/security/advisories/apsa09-07.html Thanks to Adobe PSIRT for reporting this vulnerability. This document was written by Will Dormann.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/508357 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-416 | Use After Free |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:21374 | |||
Oval ID: | oval:org.mitre.oval:def:21374 | ||
Title: | RHSA-2010:0037: acroread security and bug fix update (Critical) | ||
Description: | Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0037-01 CVE-2009-3953 CVE-2009-3954 CVE-2009-3955 CVE-2009-3956 CVE-2009-3959 CVE-2009-4324 | Version: | 81 |
Platform(s): | Red Hat Enterprise Linux 5 | Product(s): | acroread |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22917 | |||
Oval ID: | oval:org.mitre.oval:def:22917 | ||
Title: | ELSA-2010:0037: acroread security and bug fix update (Critical) | ||
Description: | Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0037-01 CVE-2009-3953 CVE-2009-3954 CVE-2009-3955 CVE-2009-3956 CVE-2009-3959 CVE-2009-4324 | Version: | 29 |
Platform(s): | Oracle Linux 5 | Product(s): | acroread |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:6795 | |||
Oval ID: | oval:org.mitre.oval:def:6795 | ||
Title: | Adobe Reader and Acrobat Unspecified Code Execution Vulnerability | ||
Description: | Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-4324 | Version: | 16 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows 7 | Product(s): | Adobe Reader Adobe Acrobat |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
SAINT Exploits
Description | Link |
---|---|
Adobe Reader media.newPlayer Use-After-Free Code Execution | More info here |
ExploitDB Exploits
id | Description |
---|---|
2009-12-23 | Adobe Reader and Acrobat (CVE-2009-4324) Exploit |
OpenVAS Exploits
Date | Description |
---|---|
2011-03-09 | Name : Gentoo Security Advisory GLSA 201009-05 (acroread) File : nvt/glsa_201009_05.nasl |
2010-01-29 | Name : SuSE Update for acroread SUSE-SA:2010:008 File : nvt/gb_suse_2010_008.nasl |
2010-01-16 | Name : Adobe Reader/Acrobat Multiple Vulnerabilities - Jan10 (Win) File : nvt/gb_adobe_prdts_mult_vuln_jan10_win.nasl |
2010-01-16 | Name : Adobe Reader Multiple Vulnerabilities -jan10 (Linux) File : nvt/gb_adobe_reader_mult_vuln_jan10_lin.nasl |
2009-12-21 | Name : Adobe Reader Multimeda Doc.media.newPlayer Code Execution Vulnerability (Linux) File : nvt/gb_adobe_prdts_media_obj_remote_code_exec_vuln_dec09_lin.nasl |
2009-12-21 | Name : Adobe Reader/Acrobat Multimedia Doc.media.newPlayer Code Execution Vulnerabil... File : nvt/gb_adobe_prdts_media_obj_remote_code_exec_vuln_dec09_win.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
60980 | Adobe Reader / Acrobat Doc.media.newPlayer Use-After-Free Arbitrary Code Exec... Acrobat and Reader contain a flaw that may allow an attacker to execute arbitrary code. The issue is triggered by a use-after-free condition in Doc.media.newPlayer when parsing a specially crafted PDF file. |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28743 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28742 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28741 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28740 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28739 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28738 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28737 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28736 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28735 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28734 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28733 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28732 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28731 - Revision : 6 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28730 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28729 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 28728 - Revision : 6 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader compressed media.newPlayer memory corruption attempt RuleID : 28454 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 23506 - Revision : 5 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader compressed media.newPlayer memory corruption attempt RuleID : 23505 - Revision : 6 - Type : FILE-PDF |
2014-01-10 | Phoenix exploit kit post-compromise behavior RuleID : 21860 - Revision : 5 - Type : MALWARE-CNC |
2014-01-10 | Phoenix exploit kit landing page RuleID : 21640 - Revision : 6 - Type : EXPLOIT-KIT |
2014-01-10 | Adobe Acrobat Reader compressed media.newPlayer memory corruption attempt RuleID : 16334 - Revision : 18 - Type : FILE-PDF |
2014-01-10 | Adobe Acrobat Reader media.newPlayer memory corruption attempt RuleID : 16333 - Revision : 18 - Type : FILE-PDF |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0037.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0038.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2010-0060.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_acroread-6802.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_acroread-6803.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_acroread_ja-6804.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_acroread_ja-6805.nasl - Type : ACT_GATHER_INFO |
2010-09-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201009-05.nasl - Type : ACT_GATHER_INFO |
2010-02-02 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_acroread_ja-100128.nasl - Type : ACT_GATHER_INFO |
2010-01-25 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_acroread-100122.nasl - Type : ACT_GATHER_INFO |
2010-01-25 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_acroread-100122.nasl - Type : ACT_GATHER_INFO |
2010-01-25 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_acroread-100122.nasl - Type : ACT_GATHER_INFO |
2010-01-25 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_acroread-100122.nasl - Type : ACT_GATHER_INFO |
2010-01-13 | Name : The version of Adobe Acrobat on the remote Windows host is affected by multip... File : adobe_acrobat_apsb10-02.nasl - Type : ACT_GATHER_INFO |
2010-01-13 | Name : The PDF file viewer on the remote Windows host is affected by multiple vulner... File : adobe_reader_apsb10-02.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:07:54 |
|