Date: 14 September 2010
References: ESB-2010.0856 ASB-2010.0220 ESB-2010.0890
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0822
Security Advisory for Adobe Flash Player, Adobe Reader and Adobe Acrobat
14 September 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Flash Player 10.1.82.76 and prior for Windows,
Macintosh, Linux and Solaris
Adobe Flash Player 10.1.92.10 for Android
Adobe Reader 9.3.4 and prior for Windows, Macintosh and UNIX
Adobe Acrobat 9.3.4 and prior for Windows and Macintosh
Publisher: Adobe
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Mobile Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: None
CVE Names: CVE-2010-2884
Original Bulletin:
http://www.adobe.com/support/security/advisories/apsa10-03.html
Comment: Adobe has yet to release updates to correct this vulnerability, but
has stated that they expect to have updates for Adobe Flash Player
available by September 27, 2010, and Adobe Reader and Adobe Acrobat
available during the week of October 4, 2010.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Advisory for Flash Player
Release date: September 13, 2010
Vulnerability identifier: APSA10-03
CVE number: CVE-2010-2884
Platform: All
Summary
A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier
versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player
10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for
Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for
Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash
and potentially allow an attacker to take control of the affected system. There
are reports that this vulnerability is being actively exploited in the wild
against Adobe Flash Player on Windows. Adobe is not aware of any attacks
exploiting this vulnerability against Adobe Reader or Acrobat to date.
We are in the process of finalizing a fix for the issue and expect to provide
an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and
Android operating systems during the week of September 27, 2010. We expect to
provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and
Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4,
2010.
Affected software versions
* Adobe Flash Player 10.1.82.76 and earlier versions for Windows,
Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android
* Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
* Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh
Severity rating
Adobe categorizes this as a critical issue.
Details
A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier
versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player
10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for
Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for
Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash
and potentially allow an attacker to take control of the affected system.
There are reports that this vulnerability is being actively exploited in the
wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks
exploiting this vulnerability against Adobe Reader or Acrobat to date.
We are in the process of finalizing a fix for the issue and expect to provide
an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and
Android operating systems during the week of September 27, 2010. We expect to
provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and
Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4,
2010.
Adobe actively shares information about this and other vulnerabilities with
partners in the security community to enable them to quickly develop
detection and quarantine methods to protect users until a patch is available.
As always, Adobe recommends that users follow security best practices by
keeping their anti-malware software and definitions up to date.
Users may monitor the latest information on the Adobe Product Security
Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt
or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.
Acknowledgments
Adobe would like to thank Steven Adair of the Shadowserver Foundation for
working with us on this issue with Adobe to help protect our customers.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMjtwQ/iFOrG6YcBERAgXcAJ4sdHRaLRJYwqK0X2R4KBAmbMdLfwCgvqtd
3AXa1PCDz5ABxix5fOvA5GU=
=jEzC
-----END PGP SIGNATURE-----
|