CERT RENATER
Nous contacter
- Mail : cert@support.renater.fr
- Web : Pages du CERT
- Tél : 01.53.94.20.44
- Fax : 01.53.94.20.31
==================================================================== CERT-Renater Note d'Information No. 2009/VULN510 _____________________________________________________________________ DATE : 09/12/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Adobe Flash Player, Adobe AIR. ====================================================================== http://www.adobe.com/support/security/bulletins/apsb09-19.html ______________________________________________________________________ Security updates available for Adobe Flash Player Release date: December 8, 2009 Vulnerability identifier: APSB09-19 CVE numbers: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, CVE-2009-3951 Platform: All Platforms Summary Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.32.18 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. Adobe recommends users of Adobe Flash Player 10.0.32.18 and earlier versions update to Adobe Flash Player 10.0.42.34. Adobe recommends users of Adobe AIR version 1.5.2 and earlier versions update to Adobe AIR 1.5.3. Affected software versions Adobe Flash Player 10.0.32.18 and earlier versions Adobe AIR 1.5.2 and earlier versions To verify the Adobe Flash Player version number installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system. Solution Adobe Flash Player Adobe recommends all users of Adobe Flash Player 10.0.32.18 and earlier versions upgrade to the newest version 10.0.42.34 by downloading it from the Flash Player Download Center or by using the auto-update mechanism within the product when prompted. Adobe AIR Adobe recommends all users of Adobe AIR version 1.5.2 and earlier update to the newest version 1.5.3 by downloading it from the Adobe AIR Download Center. Severity rating Adobe categorizes these as critical issues and recommends affected users update their installations to the newest versions. Details Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.32.18 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. Adobe recommends users of Adobe Flash Player 10.0.32.18 and earlier versions update to Adobe Flash Player 10.0.42.34. Adobe recommends users of Adobe AIR version 1.5.2 and earlier versions update to Adobe AIR 1.5.3. This update resolves a vulnerability in the parsing of JPEG data that could potentially lead to code execution (CVE-2009-3794). This update resolves a data injection vulnerability that could potentially lead to code execution (CVE-2009-3796). This update resolves a memory corruption vulnerability that could potentially lead to code execution (CVE-2009-3797). This update resolves a memory corruption vulnerability that could potentially lead to code execution (CVE-2009-3798). This update resolves an integer overflow vulnerability that could potentially lead to code execution (CVE-2009-3799). This update resolves multiple crash vulnerabilities that could potentially lead to code execution (CVE-2009-3800). This update resolves a Windows-only local file name access vulnerability in the Flash Player ActiveX control that could potentially lead to information disclosure (CVE-2009-3951). This updates the previously patched issue, CVE-2008-4820. Affected software Recommended player update Availability Flash Player 10.0.12.36 and earlier 10.0.42.34 Flash Player Download Center Flash Player 10.0.12.36 and earlier - network distribution 10.0.42.34 Flash Player Licensing Flash Player 10.0.15.3 and earlier for Linux 10.0.42.34 Flash Player Download Center AIR 1.5 AIR 1.5.3 AIR Download Center Note: The Adobe Flash Player 10.1 release, expected in the first half of 2010, will be the last version to support Macintosh PowerPC-based G3 computers. Adobe will be discontinuing support of PowerPC-based G3 computers and will no longer provide security updates after the Flash Player 10.1 release. This unavailability is due to performance enhancements that cannot be supported on the older PowerPC architecture. Acknowledgements Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: * An anonymous researcher reported through TippingPoint's Zero Day Initiative (CVE-2009-3794) * Jim Cheng of EffectiveUI (CVE-2009-3796) * Bing Liu of Fortinet's FortiGuard Labs (CVE-2009-3797, CVE-2009-3798) * Damian Put through TippingPoint's Zero Day Initiative (CVE-2009-3799) * Will Dormann of CERT (CVE-2009-3800) * Manuel Caballero and Microsoft Vulnerability Research (MSVR) (CVE-2009-3951) ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================