Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés
Date : Wed, 09 Dec 2009 09:38:59 +0100
Type : VULN
Sujet : CERT-Renater : 2009/VULN510 (Adobe: Security updates available for Adobe Flash Player)
====================================================================                                   CERT-Renater

                        Note d'Information No. 2009/VULN510
_____________________________________________________________________

DATE                      : 09/12/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Adobe Flash Player, Adobe AIR.

======================================================================
http://www.adobe.com/support/security/bulletins/apsb09-19.html
______________________________________________________________________

Security updates available for Adobe Flash Player

Release date: December 8, 2009

Vulnerability identifier: APSB09-19

CVE numbers: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798,
CVE-2009-3799, CVE-2009-3800, CVE-2009-3951

Platform: All Platforms


Summary

Critical vulnerabilities have been identified in Adobe Flash Player version
10.0.32.18 and earlier.  These vulnerabilities could cause the application
to crash and could potentially allow an attacker to take control of the
affected system.

Adobe recommends users of Adobe Flash Player 10.0.32.18 and earlier versions
update to Adobe Flash Player 10.0.42.34.  Adobe recommends users of
Adobe AIR version 1.5.2 and earlier versions update to Adobe AIR 1.5.3.


Affected software versions

Adobe Flash Player 10.0.32.18 and earlier versions
Adobe AIR 1.5.2 and earlier versions

To verify the Adobe Flash Player version number installed on your system,
access the About Flash Player page, or right-click on content running in
Flash Player and select "About Adobe (or Macromedia) Flash Player" from
the menu.  If you use multiple browsers, perform the check for each
browser you have installed on your system.


Solution

Adobe Flash Player
Adobe recommends all users of Adobe Flash Player 10.0.32.18 and earlier
versions upgrade to the newest version 10.0.42.34 by downloading it from
the Flash Player Download Center or by using the auto-update mechanism
within the product when prompted.

Adobe AIR
Adobe recommends all users of Adobe AIR version 1.5.2 and earlier update
to the newest version 1.5.3 by downloading it from the
Adobe AIR Download Center.


Severity rating

Adobe categorizes these as critical issues and recommends affected users
update their installations to the newest versions.


Details

Critical vulnerabilities have been identified in Adobe Flash Player version
10.0.32.18 and earlier.  These vulnerabilities could cause the application to
crash and could potentially allow an attacker to take control of the affected
system.

Adobe recommends users of Adobe Flash Player 10.0.32.18 and earlier versions
update to Adobe Flash Player 10.0.42.34.  Adobe recommends users of
Adobe AIR version 1.5.2 and earlier versions update to Adobe AIR 1.5.3.

This update resolves a vulnerability in the parsing of JPEG data that could
potentially lead to code execution (CVE-2009-3794).

This update resolves a data injection vulnerability that could potentially
lead to code execution (CVE-2009-3796).

This update resolves a memory corruption vulnerability that could potentially
lead to code execution (CVE-2009-3797).

This update resolves a memory corruption vulnerability that could potentially
lead to code execution (CVE-2009-3798).

This update resolves an integer overflow vulnerability that could potentially
lead to code execution (CVE-2009-3799).

This update resolves multiple crash vulnerabilities that could potentially lead
to code execution (CVE-2009-3800).

This update resolves a Windows-only local file name access vulnerability in the
Flash Player ActiveX control that could potentially lead to information disclosure
(CVE-2009-3951). This updates the previously patched issue, CVE-2008-4820.


Affected software  Recommended player update  Availability

Flash Player 10.0.12.36
and earlier              10.0.42.34    Flash Player Download Center

Flash Player 10.0.12.36
and earlier -
network distribution 	10.0.42.34     Flash Player Licensing

Flash Player 10.0.15.3
and earlier for Linux   10.0.42.34     Flash Player Download Center

AIR 1.5                 AIR 1.5.3      AIR Download Center


Note: The Adobe Flash Player 10.1 release, expected in the first half
of 2010, will be the last version to support Macintosh PowerPC-based G3
computers. Adobe will be discontinuing support of PowerPC-based G3 computers
and will no longer provide security updates after the Flash Player 10.1 release.
This unavailability is due to performance enhancements that cannot be
supported on the older PowerPC architecture.


Acknowledgements

Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect
our customers:

    * An anonymous researcher reported through TippingPoint's Zero Day Initiative
(CVE-2009-3794)
    * Jim Cheng of EffectiveUI (CVE-2009-3796)
    * Bing Liu of Fortinet's FortiGuard Labs (CVE-2009-3797, CVE-2009-3798)
    * Damian Put through TippingPoint's Zero Day Initiative (CVE-2009-3799)
    * Will Dormann of CERT (CVE-2009-3800)
    * Manuel Caballero and Microsoft Vulnerability Research (MSVR) (CVE-2009-3951)


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================