Vous êtes ici: index » cert » avis

Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés

Date : Fri, 27 Feb 2009 11:10:37 +0100
Type : VULN
Sujet : CERT-Renater : 2009/VULN067 (Adobe: Flash Player update available to address security vulnerabilities)
====================================================================                                   CERT-Renater

                        Note d'Information No. 2009/VULN067
_____________________________________________________________________

DATE                      : 27/02/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Adobe Flash Player.

======================================================================
http://www.adobe.com/support/security/bulletins/apsb09-01.html
______________________________________________________________________

Flash Player update available to address security vulnerabilities

Release date: February 24, 2009

Vulnerability identifier: APSB09-01

CVE number: CVE-2009-0519, CVE-2009-0520, CVE-2009-0522, CVE-2009-0114,
CVE-2009-0521

Platform: All Platforms
Summary

A potential vulnerability has been identified in Adobe Flash Player
10.0.12.36 and earlier that could allow an attacker who successfully
exploits this potential vulnerability to take control of the affected
system. A malicious SWF must be loaded in Flash Player by the user for
an attacker to exploit this potential vulnerability. Additional
vulnerabilities have been addressed in this update. Adobe recommends
users update to the most current version of Flash Player available for
their platform.


Affected software versions

Adobe Flash Player 10.0.12.36 and earlier (Adobe Flash Player 10.0.15.3
and earlier for Linux)

To verify the Adobe Flash Player version number, access the About Flash
Player page, or right-click on Flash content and select “About Adobe
(or Macromedia) Flash Player” from the menu. If you use multiple browsers,
perform the check for each browser you have installed on your system.
Solution

Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier
versions upgrade to the newest version 10.0.22.87 by downloading it from
the Player Download Center, or by using the auto-update mechanism within
the product when prompted.

For users who cannot update to Flash Player 10, Adobe has developed a
patched version of Flash Player 9, Flash Player 9.0.159.0, which can be
downloaded from the following link.


Severity rating

Adobe categorizes this as a critical update and recommends affected users
upgrade to version 10.0.22.87.


Details

This update resolves a buffer overflow issue that could potentially allow
an attacker to execute arbitrary code. (CVE-2009-0520)

This update resolves an input validation issue that leads to a Denial of Service
(DoS); arbitrary code execution has not been demonstrated, but may be possible.
(CVE-2009-0519)

An update to the Flash Player settings manager display page on Adobe.com has been
deployed to avoid a potential Clickjacking issue variant for Flash Player. The
Settings Manager is a special control panel that runs on your local computer
but is displayed within and accessed from the Adobe website. (CVE-2009-0114)

This update resolves a Windows-only issue with mouse pointer display that could
potentially contribute to a Clickjacking attack. (CVE-2009-0522)

This update prevents a potential Linux-only information disclosure issue in the
Flash Player binary that could lead to privilege escalation. (CVE-2009-0521)


Affected software  Recommended player update Availability

Flash Player 10.0.12.36
and earlier               10.0.22.87         Player Download Center

Flash Player 10.0.12.36
and earlier -
network distribution      10.0.22.87         Player Licensing

Flash Player 10.0.15.3
and earlier for Linux     10.0.22.87         Player Download Center

AIR 1.5                   AIR 1.5.1          AIR Download Center

Flash CS4 Professional    10.0.22.87         Adobe Flash Player 10 Update
                                              for Flash CS4 Professional

Flash CS3 Professional    9.0.159.0          Flash Debug Player Updater

Flex 3                    10.0.22.87         Flash Debug Player Updater


Acknowledgments

Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect
our customers' security:

    * Roee Hay from IBM Rational Application Security CVE-2009-0519)
    * iDefense VCP contributor Javier Vicente Vallejo (CVE-2009-0520)
    * Liu Die Yu of TopsecTianRongXin (CVE-2009-0114)
    * Eduardo Vela (CVE-2009-0522)
    * Josh Bressers of Red Hat and Tavis Ormandy of the Google Security Team
      (CVE-2009-0521)


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================