CVE-2009-1862

What are Adobe Flash Player and Acrobat/Reader?

Adobe Flash Player was a browser plugin and runtime for executing SWF-format multimedia content — animations, games, video, and interactive applications — that was ubiquitous in web browsers through the mid-2010s. Adobe eventually ended support for Flash Player in December 2020 following years of critical security vulnerabilities. The intersection of Flash and PDF created a unique attack surface: the PDF format supports embedding SWF Flash content within documents, and Acrobat/Reader included the Flash runtime for rendering embedded Flash. A vulnerability in Flash could therefore be exploited via a malicious PDF as well as via a malicious SWF file in a browser — creating dual exploitation paths from a single underlying flaw.

Overview

CVE-2009-1862 is a high-severity vulnerability (CWE-787, CVSS 7.8) affecting both Adobe Flash Player and Adobe Acrobat/Reader. A memory corruption flaw in Flash's processing code allowed remote attackers to execute arbitrary code or cause a denial of service. The dual impact — affecting both the browser Flash plugin and the PDF-embedded Flash runtime in Reader/Acrobat — made this vulnerability particularly broad in scope. Adobe released emergency patches in July 2009 (APSB09-10 and companion Acrobat update). CISA added to KEV in June 2022.

Affected Versions

Note: Adobe Flash Player reached end-of-life in December 2020 and should be fully removed from all systems. Adobe Reader versions prior to version 11 are also end-of-life.

Technical Details

The vulnerability (CWE-787: Out-of-Bounds Write) exists in Adobe Flash Player's SWF content processing code. Flash's rendering engine handles complex SWF binary format content including animations, scripts (ActionScript), video streams, and graphical elements. In the vulnerable code path, processing of a specially crafted SWF file triggers a memory write operation beyond the bounds of an allocated buffer.

The dual Adobe Reader/Flash attack path:

1. Via browser Flash plugin: A web page embeds a malicious SWF file; the browser's Flash plugin processes it and triggers the out-of-bounds write
2. Via PDF with embedded Flash: A malicious PDF file contains an embedded SWF; when the PDF is opened in Acrobat/Reader, the embedded Flash runtime processes the SWF and triggers the same vulnerability

Both paths result in memory corruption that, through heap spraying or other memory manipulation, can be directed to execute attacker-supplied code with the privileges of the browser or Reader process.

Discovery

Identified through security research and discovered being exploited in targeted attacks before the July 2009 patch. Adobe released APSB09-10 as an emergency out-of-band update, reflecting the severity and active exploitation of the vulnerability. The cross-product impact (both Flash and Reader) required Adobe to coordinate releases for multiple products simultaneously.

Exploitation Context

Flash vulnerabilities had some of the broadest reach of any desktop exploit category in 2009:

• Universal browser presence: Adobe Flash Player was installed on approximately 99% of internet-connected desktop computers in 2009, making Flash exploits the most broadly applicable attack vector available.
• Drive-by downloads: Malicious Flash content on compromised websites (including legitimate sites with injected ads or content) could exploit visiting users' browsers without any user interaction beyond visiting the page.
• Dual exploitation path: The ability to exploit via both browser Flash and PDF-embedded Flash gave attackers redundancy — if Flash was disabled in the browser, a malicious PDF attachment could still deliver the exploit.
• Targeted attacks: The July 2009 APSB09-10 emergency release reflected confirmed in-the-wild exploitation against specific organizations — likely state-sponsored espionage targets.
• Persistent in legacy environments: Flash continued running in enterprise environments long after Adobe's 2020 end-of-life, particularly in legacy business applications and industrial systems.

Remediation

1. Remove Adobe Flash Player immediately: Flash Player is end-of-life (December 2020) and has no security support. It must be uninstalled from all systems. Microsoft has pushed Windows updates that remove Flash.
2. Update Adobe Reader: If Reader/Acrobat is in use, upgrade to version 9.1.3 (minimum for this fix) or, preferably, Adobe Acrobat Reader DC (current version).
3. Disable Flash in all browsers: If Flash cannot be immediately removed, disable the Flash plugin in all browsers and configure browsers to never load Flash content.
4. Block .SWF files at the perimeter: Configure web proxies and email gateways to block SWF files from being delivered to end users.
5. Replace Flash-dependent applications: Identify and replace any business applications that still require Flash with modern equivalents.