Security Advisory: New Critical Zero Day Vulnerability in Adobe Reader and Flash Player

July 24, 2009
A critical vulnerability exists in the current versions of Flash Player for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system. This vulnerability is being actively exploited in the wild via targeted attacks against Adobe Reader 9 on Windows.

The exploit arrives as a PDF file embedded with Flash objects and malicious binary files. The Flash object contains a shellcode that allocates heaps of blocks in a system’s memory.

The exploit uses a technique known as heap spraying. Once a user opens a specially crafted PDF file, two binary executables are dropped and executed on the system. The .PDF file is detected by Trend Micro as TROJ_PIDIEF.ANQ or TROJ_PIDIEF.ANP while the dropped files are detected as BKDR_AGENT.YTET or BKDR_AGENT.XTET and TROJ_AGENT.AXWS or TROJ_AGENT.IAAK.

Adobe has not yet provided patches for the vulnerability, but expects to provide an update for Flash Player 9 and 10 by July 30 and for Reader and Acrobat by July 31.  Users are advised to take extreme caution when viewing .PDF files and to make sure they are using the latest versions of security software.


Affected Software
Adobe Reader 9.1.2
Adobe Acrobat 9
Adobe Flash Player 9
Adobe Flash Player 10


Recommended Actions
Make sure your Trend Micro security products are current (OPR 6.307.00 or higher).  Trend Micro™ Smart Protection Network™ proactively blocks websites associated with this exploit via Web reputation technology and file reputation, which provides additional protection by detecting malware files before they are downloaded.



Trend Recommends



Additional Resources