CVE-2009-4324

What is Adobe Acrobat and Reader?

Adobe Acrobat and Adobe Reader are the dominant applications for creating and viewing PDF files. Reader's embedded JavaScript engine — implementing the PDF JavaScript API — is a rich scripting environment for interactive forms and dynamic documents. The PDF JavaScript API includes the Doc.media namespace for media-related operations, with methods like newPlayer() for managing media playback objects. These JavaScript API methods, implemented in C++ within the Reader codebase, proved particularly vulnerable to memory management errors — especially use-after-free vulnerabilities where JavaScript object lifecycle management led to freed memory being accessed via dangling references.

Overview

CVE-2009-4324 is a high-severity use-after-free vulnerability (CWE-416, CVSS 7.8) in Adobe Acrobat and Reader. The Doc.media.newPlayer() JavaScript method contains a use-after-free condition that allows arbitrary code execution when a malicious PDF is opened. This was a zero-day vulnerability — actively exploited in targeted attacks before Adobe issued any patch. Adobe first issued a workaround advisory on December 14, 2009 (recommending disabling JavaScript), then released an emergency out-of-band patch APSB09-15 in January 2010. A Metasploit module was published within days of disclosure, making exploitation accessible to a broad range of attackers. CISA added to KEV in June 2022.

Affected Versions

Technical Details

The vulnerability (CWE-416: Use After Free) exists in the Doc.media.newPlayer() JavaScript method in Adobe Reader and Acrobat's JavaScript engine implementation.

The use-after-free condition occurs through JavaScript object lifecycle manipulation:

1. A JavaScript routine in a malicious PDF creates a media player object via Doc.media.newPlayer()
2. The JavaScript deletes or triggers garbage collection of the object, causing its underlying C++ object to be freed
3. A dangling reference to the freed object remains in the JavaScript engine
4. When the JavaScript subsequently invokes a method or accesses a property through the dangling reference, the freed memory is accessed
5. An attacker who controls the heap (via heap spraying with carefully structured data) can reclaim the freed memory with attacker-controlled content
6. When the dangling reference is dereferenced, execution transfers to attacker-controlled code

The zero-day nature of this vulnerability meant that at the time of initial exploitation (early December 2009), no patch existed — all Adobe Reader installations were vulnerable to malicious PDFs exploiting this flaw.

Discovery

Discovered and exploited in the wild before any disclosure or patch. The December 2009 zero-day wave was significant: Adobe became aware of exploitation in the first two weeks of December, issued a workaround advisory on December 14 (recommending disabling JavaScript — an impactful workaround for a production tool), and rushed an out-of-band emergency patch released January 12, 2010. The public release of a Metasploit module on December 18, 2009 — four days after Adobe's advisory — dramatically expanded the pool of potential attackers from sophisticated targeted actors to anyone using the Metasploit Framework.

Exploitation Context

CVE-2009-4324 was one of the most widely exploited Adobe Reader vulnerabilities of its era:

• Zero-day timing: The vulnerability was being used in targeted attacks for some weeks before Adobe learned of it. During this window, sophisticated attackers had exclusive access to a weaponized exploit for one of the world's most widely installed applications.
• Metasploit acceleration: The rapid public Metasploit module release meant that within days of Adobe's advisory, exploitation capability was available to script-level attackers — creating a surge of exploitation attempts against unpatched installations.
• Targeted espionage: The initial exploitation before the Metasploit release targeted specific organizations — consistent with state-sponsored espionage campaigns that typically had access to zero-day exploit code before public disclosure.
• Drive-by and spear phishing: Once publicly known, the vulnerability was incorporated into drive-by download campaigns (via browser-embedded PDFs) and spear phishing campaigns (malicious PDF email attachments) at large scale.
• JavaScript workaround effectiveness: Adobe's recommended workaround — disabling JavaScript in Reader — was highly effective because it prevented the entire class of JavaScript-based PDF exploits, not just this specific vulnerability. Security-conscious administrators implemented this workaround as a long-term measure.

Remediation

1. Apply APSB09-15: Upgrade Adobe Reader and Acrobat to version 9.3 or 8.2 as specified in the security bulletin.
2. Upgrade to current Adobe Reader: Reader 9.x and 8.x are long past end-of-life. Install Adobe Acrobat Reader DC for ongoing security support.
3. Disable JavaScript in Adobe Reader: Edit > Preferences > JavaScript — uncheck "Enable Acrobat JavaScript." This blocks use-after-free and all other JavaScript-based PDF exploits. Implement as a permanent policy for organizational deployments.
4. Use browser-native PDF rendering: Chrome, Firefox, and Edge include built-in PDF renderers that do not use Adobe's code, eliminating this entire vulnerability class for browser-based PDF viewing.
5. Disable the Reader browser plugin: Remove or disable the Acrobat/Reader NPAPI/ActiveX browser plugin to prevent drive-by exploitation via browser-embedded PDFs.