National Cyber Alert System
Technical Cyber Security Alert TA09-204A
Adobe Flash Vulnerability Affects Flash Player and Other Adobe Products
Original release date: July 23, 2009
Last revised: --
* Adobe Flash Player 10.0.22.87 and earlier 10.x versions
* Adobe Flash Player 220.127.116.11 and earlier 9.x versions
* Adobe Reader and Acrobat 9.1.2 and earlier 9.x versions
Adobe has released Security advisory APSA09-03, which describes a
vulnerability affecting Adobe Flash. Other Adobe applications that
include the Flash runtime, such as Adobe Reader 9, are also
Adobe Security Advisory APSA09-03 describes a vulnerability
affecting the Adobe Flash player. Flash player version 10.0.22.87
and earlier 10.x versions as well as Flash player version 18.104.22.168
and earlier 9.x versions are affected.
An attacker could exploit this vulnerability by convincing a user
to visit a website that hosts a specially crafted SWF file. The
Adobe Flash browser plugin is available for multiple web browsers
and operating systems, any of which could be affected. An attacker
could also create a PDF document that has an embedded SWF file to
exploit the vulnerability.
This vulnerability is being actively exploited.
This vulnerability allows a remote attacker to execute arbitrary
code as the result of a user viewing a web page or opening a PDF
These vulnerabilities can be mitigated by disabling the Flash
plugin or by using the NoScript extension for Mozilla Firefox or
SeaMonkey to whitelist websites that can access the Flash plugin.
For more information about securely configuring web browsers,
please see the Securing Your Web Browser document. US-CERT
Vulnerability Note VU#259425 has additional details, as well as
information about mitigating the PDF document attack vector.
Thanks to Department of Defense Cyber Crime Center/DCISE for
information used in this document.
* Vulnerability Note VU#259425 -
* Security advisory for Adobe Reader, Acrobat and Flash Player -
* Securing Your Web Browser -
* NoScript - <https://addons.mozilla.org/addon/722>
The most recent version of this document can be found at:
Feedback can be directed to US-CERT Technical Staff. Please send
email to <ce...@cert.org> with "TA09-204A Feedback VU#259425" in
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
Produced 2009 by US-CERT, a government organization.
July 23, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
-----END PGP SIGNATURE-----