Search:

July 2009

3875 - Security updates available for Adobe Flash Player

ID: 3875
Date: 31/07/2009

Title: 3875 - Security updates available for Adobe Flash Player
Platform level affected:Net Application - Client
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Other software: Web Browser
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Adobe
Applications affected:Adobe Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Remote execution/modification
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: Adobe
Reliability of source: Trusted
Source URL: http://www.adobe.com/go/getflashplayer
CVE: CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870
Abstract: Critical vulnerabilities have been identified in the current versions of Adobe Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Security updates available for Adobe Flash Player

Release date: July 30, 2009

Last updated: July 31, 2009

Vulnerability identifier: APSB09-10

CVE number: CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870

Platform: All Platforms

Summary

Critical vulnerabilities have been identified in the current versions of Adobe Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009. This bulletin will be updated to reflect their availability on that date. (The update for Adobe Flash Player v9 and v10 for Solaris is still pending.)

Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18. Adobe recommends users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2.

Affected software versions

Adobe Flash Player 9.0.159.0 and 10.0.22.87 and earlier 9.x and 10.x versions

To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Adobe AIR 1.5.1 and earlier versions

Solution

Adobe Flash Player

Adobe recommends all users of Adobe Flash Player 10.0.22.87 and earlier versions upgrade to the newest version 10.0.32.18 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

For users who cannot update to Adobe Flash Player 10, Adobe has developed a patched version of Adobe Flash Player 9, Adobe Flash Player 9.0.246.0, which can be downloaded from the following link: http://www.adobe.com/support/flashplayer/downloads.html#fp9.

Adobe AIR

Adobe recommends all users of Adobe AIR version 1.5.1 and earlier update to the newest version 1.5.2 by downloading it from the Adobe AIR Download Center.

Severity rating

Adobe categorizes these as critical issues and recommends affected users patch their installations.

Details

The update for Adobe Flash Player and Adobe AIR, Adobe Reader and Acrobat resolves a memory corruption vulnerability that could potentially lead to code execution (CVE-2009-1862).

The update for Adobe Flash Player resolves the vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882). This vulnerability could allow an attacker who successfully exploits the vulnerability to take control of the affected system (CVE-2009-0901, CVE-2009-2395, CVE-2009-2493).

The update for Adobe Flash Player and Adobe AIR resolves the privilege escalation vulnerability that could potentially lead to code execution (CVE-2009-1863).

The update for Adobe Flash Player and Adobe AIR resolves the heap overflow vulnerability that could potentially lead to code execution (CVE-2009-1864).

The update for Adobe Flash Player and Adobe AIR resolves the null pointer vulnerability that could potentially lead to code execution (CVE-2009-1865).

The update for Adobe Flash Player and Adobe AIR resolves the stack overflow vulnerability that could potentially lead to code execution (CVE-2009-1866).

The update for Adobe Flash Player and Adobe AIR resolves a clickjacking vulnerability that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog (CVE-2009-1867).

The update for Adobe Flash Player and Adobe AIR resolves the URL parsing heap overflow vulnerability that could potentially lead to code execution (CVE-2009-1868).

The update for Adobe Flash Player and Adobe AIR resolves the integer overflow vulnerability that could potentially lead to code execution (CVE-2009-1869).

The update for Adobe Flash Player and Adobe AIR resolves a local sandbox vulnerability that could potentially lead to information disclosure when SWFs are saved to the hard drive (CVE-2009-1870).

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers’ security:

lakehu of Tencent Security Center (CVE-2009-1862)
David Dewey of IBM ISS X-Force , Ryan Smith of VeriSign iDefense Labs , and Microsoft Vulnerability Research Program (MSVR) (CVE-2009-0901, CVE-2009-2395, CVE-2009-2493)
Mike Wroe (CVE-2009-1863)
An anonymous researcher reported through the iDefense Vulnerability Contributor Program (CVE-2009-1864)
Chen Chen of Venustech (CVE-2009-1865, CVE-2009-1866)
Joran Benker (CVE-2009-1867)
iDefense (CVE-2009-1868)
Roee Hay of IBM Rational Application Security (CVE-2009-1869)
Microsoft Vulnerability Research Program (MSVR) (CVE-2009-1870)

Revisions

July 31, 2009 - Bulletin updated with correct Adobe Flash Player 9 download link
July 30, 2009 - Bulletin first created

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.