Date: 11 June 2010
References: ASB-2010.0139 ESB-2010.0529 ESB-2010.0534 ESB-2010.0583 ESB-2010.0717 ESB-2010.0734 ESB-2010.0791
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0524
Security update available for Adobe Flash Player
11 June 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Flash Player
Adobe AIR
Publisher: Adobe
Operating System: Windows
Linux variants
Mac OS X
Solaris
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2010-2189 CVE-2010-2188 CVE-2010-2187
CVE-2010-2186 CVE-2010-2185 CVE-2010-2184
CVE-2010-2183 CVE-2010-2182 CVE-2010-2181
CVE-2010-2180 CVE-2010-2179 CVE-2010-2178
CVE-2010-2177 CVE-2010-2176 CVE-2010-2175
CVE-2010-2174 CVE-2010-2173 CVE-2010-2172
CVE-2010-2171 CVE-2010-2170 CVE-2010-2169
CVE-2010-2167 CVE-2010-2166 CVE-2010-2165
CVE-2010-2164 CVE-2010-2163 CVE-2010-2162
CVE-2010-2161 CVE-2010-2160 CVE-2010-1297
CVE-2009-3793 CVE-2008-4546
Reference: ASB-2010.0139
Original Bulletin:
http://www.adobe.com/support/security/bulletins/apsb10-14.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Security update available for Adobe Flash Player
Release date: June 10, 2010
Vulnerability identifier: APSB10-14
CVE number: CVE-2008-4546, CVE-2009-3793, CVE-2010-1297, CVE-2010-2160,
CVE-2010-2161, CVE-2010-2162, CVE-2010-2163, CVE-2010-2164, CVE-2010-2165,
CVE-2010-2166, CVE-2010-2167, CVE-2010-2169, CVE-2010-2170, CVE-2010-2171,
CVE-2010-2172, CVE-2010-2173, CVE-2010-2174, CVE-2010-2175, CVE-2010-2176,
CVE-2010-2177, CVE-2010-2178, CVE-2010-2179, CVE-2010-2180, CVE-2010-2181,
CVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185, CVE-2010-2186,
CVE-2010-2187, CVE-2010-2188, CVE-2010-2189
Platform: All Platforms Summary
Critical vulnerabilities have been identified in Adobe Flash Player version
10.0.45.2 and earlier. These vulnerabilities could cause the application to
crash and could potentially allow an attacker to take control of the affected
system.
Adobe recommends users of Adobe Flash Player 10.0.45.2 and earlier versions
update to Adobe Flash Player 10.1.53.64. Adobe recommends users of Adobe AIR
1.5.3.9130 and earlier versions update to Adobe AIR 2.0.2.12610. Affected
software versions
Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh,
Linux and Solaris Adobe AIR 1.5.3.9130 and earlier versions for Windows,
Macintosh and Linux
To verify the Adobe Flash Player version number installed on your system,
access the About Flash Player page, or right-click on content running in Flash
Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If
you use multiple browsers, perform the check for each browser you have
installed on your system.
To verify the Adobe AIR version number installed on your system, access the
Adobe AIR TechNote for instructions. Solution
Adobe Flash Player Adobe recommends all users of Adobe Flash Player 10.0.45.2
and earlier versions upgrade to the newest version 10.1.53.64 by downloading
it from the Adobe Flash Player Download Center or by using the auto-update
mechanism within the product when prompted.
To address the vulnerabilities described in this Security Bulletin, a
prerelease version of Flash Player 10.1 for Solaris platforms is available
from Adobe Labs.
For users who cannot update to Flash Player 10.1.53.64, Adobe has developed a
patched version of Flash Player 9, Flash Player 9.0.277.0, which can be
downloaded from the following link.
Adobe AIR Adobe recommends all users of Adobe AIR 1.5.3.9130 and earlier
versions update to the newest version 2.0.2.12610 by downloading it from the
Adobe AIR Download Center. Severity rating
Adobe categorizes this as a critical update and recommends affected users
update their installations to the newest versions. Details
Critical vulnerabilities have been identified in Adobe Flash Player version
10.0.45.2 and earlier. These vulnerabilities could cause the application to
crash and could potentially allow an attacker to take control of the affected
system.
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-1297). Note: There are reports that this issue is being
actively exploited in the wild.
This update resolves a memory exhaustion vulnerability that could lead to code
execution (CVE-2009-3793).
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2160).
This update resolves an indexing vulnerability that could lead to code
execution (CVE-2010-2161).
This update resolves a heap corruption vulnerability that could lead to code
execution (CVE-2010-2162).
This update resolves multiple vulnerabilities that could lead to code
execution (CVE-2010-2163).
This update resolves a use after free vulnerability that could lead to code
execution (CVE-2010-2164).
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2165).
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2166).
This update resolves multiple heap overflow vulnerabilities that could lead to
code execution (CVE-2010-2167).
This update resolves a pointer memory corruption that could lead to code
execution (CVE-2010-2169).
This update resolves an integer overflow vulnerability that could lead to code
execution (CVE-2010-2170).
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2171).
This update resolves a denial of service issue on some UNIX platforms (Flash
Player 9 only) (CVE-2010-2172).
This update resolves an invalid pointer vulnerability that could lead to code
execution (CVE-2010-2173).
This update resolves an invalid pointer vulnerability that could lead to code
execution (CVE-2010-2174).
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2175).
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2176).
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2177).
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2178).
This update resolves a URL parsing vulnerability that could lead to cross-site
scripting (Firefox and Chrome browsers only) (CVE-2010-2179).
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2180).
This update resolves an integer overflow vulnerability that could lead to code
execution (CVE-2010-2181).
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2182).
This update resolves a integer overflow vulnerability that could lead to code
execution (CVE-2010-2183).
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2184).
This update resolves a buffer overflow vulnerability that could lead to code
execution (CVE-2010-2185).
This update resolves a denial of service vulnerability that can cause the
application to crash. Arbitrary code execution has not been demonstrated, but
may be possible. (CVE-2010-2186).
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2187).
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2188).
This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2189). Note: This issue occurs only on VMWare systems with
VMWare Tools enabled.
This update resolves a denial of service issue (CVE-2008-4546).
Adobe recommends users of Adobe Flash Player 10.0.45.2 and earlier versions
update to Adobe Flash Player 10.1.53.64. Adobe recommends users of Adobe AIR
1.5.3.9130 and earlier versions update to Adobe AIR 2.0.2.12610.
Affected software
Recommended player update
Availability
Flash Player 10.0.45.2 and earlier
10.1.53.64
Flash Player Download Center
Flash Player 10.0.45.2 and earlier - network distribution
10.1.53.64
Flash Player Licensing
AIR 1.5.3.9130
AIR 2.0.2.12610
AIR Download Center
Flash Professional CS5, Flash CS4 Professional and Flex 4
10.1.53.64
Flash Player Support Center
Flash CS3 Professional and Flex 3
9.0.277.0
Flash Player Support Center
Note: The Adobe Flash Player 10.1.53.64 release will be the last version to
support Macintosh PowerPC-based G3 computers. Adobe will be discontinuing
support of PowerPC-based G3 computers and will no longer provide security
updates after the Flash Player 10.1.53.64 release. This unavailability is due
to performance enhancements that cannot be supported on the older PowerPC
architecture. Acknowledgments
Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect our
customers:
* Will Dormann of CERT (CVE-2010-1297, CVE-2010-2163)
* Ralph Loader of Innaworks Development Limited (CVE-2009-3793)
* An Anonymous Researcher and Dionysus Blazakis through TippingPoint's Zero
Day Initiative (CVE-2010-2160)
* An Anonymous Researcher reported through iDefense's Vulnerability
Contributor Program (CVE-2010-2161)
* Damian Put through TippingPoint's Zero Day Initiative (CVE-2010-2162,
CVE-2010-2188) * An Anonymous Researcher reported through iDefense's
Vulnerability Contributor Program (CVE-2010-2164)
* Megumi Yanagishita of Palo Alto Networks Inc. (CVE-2010-2165)
* Bing Liu of Fortinet's FortiGuard Labs (CVE-2010-2163, CVE-2010-2166)
* Nicolas Joly of VUPEN Vulnerability Research Team (CVE-2010-2167,
CVE-2010-2173, CVE-2010-2174)
* Manuel Caballero and Microsoft Vulnerability Research (MSVR)
(CVE-2010-2169)
* Tielei Wang from ICST-ERCIS (Engineering Research Center of
Info Security, Institute of Computer Science & Technology, Peking
University / China) (CVE-2010-2170)
* An Anonymous Researcher and Tielei Wang, from ICST-ERCIS, Peking University,
through TippingPoint's Zero Day Initiative (CVE-2010-2171)
* Report submitted by Red Hat Security Response Team (CVE-2010-2172)
* Bo Qu of Palo Alto Networks (CVE-2010-2175, CVE-2010-2176, CVE-2010-2177,
CVE-2010-2178) * Ezio Anselmo Mazarim Fernandes (CVE-2010-2179)
* Haifei Li of Fortinet's FortiGuard Labs (CVE-2010-2189)
* Tavis Ormandy of the Google Security Team (CVE-2010-2163, CVE-2010-2180,
CVE-2010-2181, CVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185,
CVE-2010-2186, CVE-2010-2187).
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMEWpZ/iFOrG6YcBERAhObAKDWEZseJStjU8cZWJWAC49rJepf2wCffxsB
nw0XegA6h81jWLtUpHwv5WY=
=H7IQ
-----END PGP SIGNATURE-----
|