ThreatLevelBeta
Planned Fix

CVE-2009-4324

Adobe Reader/Acrobat media.newPlayer use-after-free RCE
Loading...

Summary

A crafted PDF can trigger a use-after-free flaw in Adobe Reader and Acrobat's media.newPlayer JavaScript path. The attacker needs a victim to open the malicious document so the embedded JavaScript runs and reuses freed memory in a controlled way. Successful exploitation can lead to arbitrary code execution in the user's security context.

Why Planned Fix?

4/6
No authentication required
Internal deployment
User interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.com
Impact

Execute arbitrary code as the logged-in user

RCE (Remote Code Execution)
Exploitation Requirements
  • Victim opens malicious PDF
  • JavaScript enabled
  • vulnerable Adobe Reader/Acrobat version
Exploitation Process

An attacker crafts a malicious PDF containing JavaScript that calls the media.newPlayer method with a null or otherwise malformed argument. The document is typically delivered by email or web download and relies on the victim opening it in a vulnerable Adobe Reader/Acrobat version. When parsing the script and multimedia object, the application frees an object and later reuses that memory, allowing the attacker to shape the heap and redirect execution to attacker-controlled code.

Detection Resources
Manual Detection
blog.talosintelligence.com
1
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Adobe
ProductAffected Versions
Adobe Reader9.x before 9.3, 8.x before 8.2
Adobe Acrobat9.x before 9.3, 8.x before 8.2
Description

Desktop software for viewing, creating, annotating, and editing PDF documents.

Deployment:Typically internal
|
Protocol:HTTP/HTTPS
|
Ports:80, 443
Affected ComponentPDF JavaScript media.newPlayer method in Multimedia.api

PDF JavaScript media.newPlayer method in Multimedia.api

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Disable Acrobat/Reader JavaScript or use Adobe's JavaScript Blacklist Framework; DEP reduced impact in some supported Windows configurations.

Disable Acrobat/Reader JavaScript or use Adobe's JavaScript Blacklist Framework; DEP reduced impact in some supported Windows configurations.

www.adobe.com
Patch

Not available

Update
Upgrade Adobe Reader to 9.3 or later and Adobe Acrobat to 9.3 or later; Adobe's January 2010 update also provided 8.2 releases for the older branch.

Upgrade Adobe Reader to 9.3 or later and Adobe Acrobat to 9.3 or later; Adobe's January 2010 update also provided 8.2 releases for the older branch.

blog.adobe.com
Threat Intelligence
EPSS Score92.9%

Probability of exploitation in the next 30 days

EPSS Percentile100%

Worse than 100% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
adobe.com
Threat Actors

No known threat actors

Detection Rules2
Other
PDF JavaScript pattern: this.media.newPlayer(null) with util.printd heap-spray behavior
Other
HTTP:STC:ADOBE:PDF-JS-NEWPLAYER

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-416 Use After FreeCWE-416 Use After Free
|
NVD:CVE-2009-4324
|
Version From:8.0, 8.0
|
Version Upto:8.2, 8.2

Affected Software (CPE) (7)

  • cpe:2.3:a:adobe:acrobat:*:*:*:*:*:*:*:*
  • cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:*:*:*:*
  • cpe:2.3:a:suse:linux_enterprise_debuginfo:11:-:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:opensuse:11.1:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:opensuse:11.2:*:*:*:*:*:*:*
  • cpe:2.3:o:suse:linux_enterprise:10.0:sp2:*:*:*:*:*:*
  • cpe:2.3:o:suse:linux_enterprise:10.0:sp3:*:*:*:*:*:*

Sources

8
SourceArticle
nvd.nist.govCVE-2009-4324 Detail
www.adobe.comSecurity Advisory for Adobe Reader and Acrobat
blog.adobe.comImportant: Acrobat 9.3 and Acrobat 8.2 Updates Available
blog.talosintelligence.comAdobe Reader media.newPlayer() Analysis (CVE-2009-4324)
www.juniper.netHTTP: Adobe Reader and Acrobat media.newPlayer Code Execution
www.tenable.comCVE-2009-4324 Plugins
www.cisa.govKnown Exploited Vulnerabilities Catalog
github.comadobe_media_newplayer exploit module

Priority History

Planned FixLoading...

Initial analysis