SecurityvulnsSECURITYVULNS:DOC:24039Security update available for Adobe Flash Player
ecurity update available for Adobe Flash Player
Release date: June 10, 2010
Last updated: June 10, 2010
Vulnerability identifier: APSB10-14
CVE number: CVE-2008-4546, CVE-2009-3793, CVE-2010-1297, CVE-2010-2160, CVE-2010-2161, CVE-2010-2162, CVE-2010-2163, CVE-2010-2164, CVE-2010-2165, CVE-2010-2166, CVE-2010-2167, CVE-2010-2169, CVE-2010-2170, CVE-2010-2171, CVE-2010-2172, CVE-2010-2173, CVE-2010-2174, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2179, CVE-2010-2180, CVE-2010-2181, CVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185, CVE-2010-2186, CVE-2010-2187, CVE-2010-2188, CVE-2010-2189
Platform: All Platforms
Summary
Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.45.2 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Flash Player 10.0.45.2 and earlier versions update to Adobe Flash Player 10.1.53.64. Adobe recommends users of Adobe AIR 1.5.3.9130 and earlier versions update to Adobe AIR 2.0.2.12610.
Affected software versions
Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris
Adobe AIR 1.5.3.9130 and earlier versions for Windows, Macintosh and Linux
To verify the Adobe Flash Player version number installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
To verify the Adobe AIR version number installed on your system, access the Adobe AIR TechNote for instructions.
Solution
Adobe Flash Player
Adobe recommends all users of Adobe Flash Player 10.0.45.2 and earlier versions upgrade to the newest version 10.1.53.64 by downloading it from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted.
To address the vulnerabilities described in this Security Bulletin, a prerelease version of Flash Player 10.1 for Solaris platforms is available from Adobe Labs.
For users who cannot update to Flash Player 10.1.53.64, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.277.0, which can be downloaded from the following link.
Adobe AIR
Adobe recommends all users of Adobe AIR 1.5.3.9130 and earlier versions update to the newest version 2.0.2.12610 by downloading it from the Adobe AIR Download Center.
Severity rating
Adobe categorizes this as a critical update and recommends affected users update their installations to the newest versions.
Details
Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.45.2 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1297).
Note: There are reports that this issue is being actively exploited in the wild.
This update resolves a memory exhaustion vulnerability that could lead to code execution (CVE-2009-3793).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2160).
This update resolves an indexing vulnerability that could lead to code execution (CVE-2010-2161).
This update resolves a heap corruption vulnerability that could lead to code execution (CVE-2010-2162).
This update resolves multiple vulnerabilities that could lead to code execution (CVE-2010-2163).
This update resolves a use after free vulnerability that could lead to code execution (CVE-2010-2164).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2165).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2166).
This update resolves multiple heap overflow vulnerabilities that could lead to code execution (CVE-2010-2167).
This update resolves a pointer memory corruption that could lead to code execution (CVE-2010-2169).
This update resolves an integer overflow vulnerability that could lead to code execution (CVE-2010-2170).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2171).
This update resolves a denial of service issue on some UNIX platforms (Flash Player 9 only) (CVE-2010-2172).
This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2173).
This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2174).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2175).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2176).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2177).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2178).
This update resolves a URL parsing vulnerability that could lead to cross-site scripting (Firefox and Chrome browsers only) (CVE-2010-2179).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2180).
This update resolves an integer overflow vulnerability that could lead to code execution (CVE-2010-2181).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2182).
This update resolves a integer overflow vulnerability that could lead to code execution (CVE-2010-2183).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2184).
This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-2185).
This update resolves a denial of service vulnerability that can cause the application to crash. Arbitrary code execution has not been demonstrated, but may be possible. (CVE-2010-2186).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2187).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2188).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2189).
Note: This issue occurs only on VMWare systems with VMWare Tools enabled.
This update resolves a denial of service issue (CVE-2008-4546).
Adobe recommends users of Adobe Flash Player 10.0.45.2 and earlier versions update to Adobe Flash Player 10.1.53.64. Adobe recommends users of Adobe AIR 1.5.3.9130 and earlier versions update to Adobe AIR 2.0.2.12610.
Affected software
Recommended player update
Availability
Flash Player 10.0.45.2 and earlier
10.1.53.64
Flash Player Download Center
Flash Player 10.0.45.2 and earlier - network distribution
10.1.53.64
Flash Player Licensing
AIR 1.5.3.9130
AIR 2.0.2.12610
AIR Download Center
Flash Professional CS5, Flash CS4 Professional and Flex 4
10.1.53.64
Flash Player Support Center
Flash CS3 Professional and Flex 3
9.0.277.0
Flash Player Support Center
Note: The Adobe Flash Player 10.1.53.64 release will be the last version to support Macintosh PowerPC-based G3 computers. Adobe will be discontinuing support of PowerPC-based G3 computers and will no longer provide security updates after the Flash Player 10.1.53.64 release. This unavailability is due to performance enhancements that cannot be supported on the older PowerPC architecture.
Acknowledgments
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:
* Will Dormann of CERT (CVE-2010-1297, CVE-2010-2163)
* Lockheed Martin CIRT, Members of the Defense Security Information Exchange (DSIE) (CVE-2010-1297)
* Ralph Loader of Innaworks Development Limited (CVE-2009-3793)
* An Anonymous Researcher and Dionysus Blazakis through TippingPoint's Zero Day Initiative (CVE-2010-2160)
* An Anonymous Researcher reported through iDefense's Vulnerability Contributor Program (CVE-2010-2161)
* Damian Put through TippingPoint's Zero Day Initiative (CVE-2010-2162, CVE-2010-2188)
* An Anonymous Researcher reported through iDefense's Vulnerability Contributor Program (CVE-2010-2164)
* Megumi Yanagishita of Palo Alto Networks Inc. (CVE-2010-2165)
* Bing Liu of Fortinet's FortiGuard Labs (CVE-2010-2163, CVE-2010-2166)
* Nicolas Joly of VUPEN Vulnerability Research Team (CVE-2010-2167, CVE-2010-2173, CVE-2010-2174)
* Manuel Caballero and Microsoft Vulnerability Research (MSVR) (CVE-2010-2169)
* Tielei Wang from ICST-ERCIS (Engineering Research Center of Info Security, Institute of Computer Science & Technology, Peking University / China) (CVE-2010-2170)
* An Anonymous Researcher and Tielei Wang, from ICST-ERCIS, Peking University, through TippingPoint's Zero Day Initiative (CVE-2010-2171)
* Report submitted by Red Hat Security Response Team (CVE-2010-2172)
* Bo Qu of Palo Alto Networks (CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178)
* Ezio Anselmo Mazarim Fernandes (CVE-2010-2179)
* Haifei Li of Fortinet's FortiGuard Labs (CVE-2010-2189)
* Tavis Ormandy of the Google Security Team (CVE-2010-2163, CVE-2010-2180, CVE-2010-2181, CVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185, CVE-2010-2186, CVE-2010-2187).
Revisions
June 10, 2010 - Updated Acknowledgments section, adding Lockheed Martin CIRT and Members of the Defense Security Information Exchange.
June 10, 2010 - Bulletin released.
Related
