Tuesday, February 24, 2009

Adobe Flash Security Update

Adobe has issued a Flash Player update to address security vulnerabilities. The details from the update notice are copied below. This is not a fix for the previously reported Critical Vulnerability in Adobe Reader.

Note: I found that several of the global and website settings configured previously had to be reset. Instructions on how to configure the On-line Settings Manager to configure Flash Player settings are available in the Cyber Security Awareness Tip of the Day: October 19.

Release date: February 24, 2009

Vulnerability identifier: APSB09-01

CVE number: CVE-2009-0519, CVE-2009-0520, CVE-2009-0522, CVE-2009-0114, CVE-2009-0521

Platform: All Platforms

Summary

A potential vulnerability has been identified in Adobe Flash Player 10.0.12.36 and earlier that could allow an attacker who successfully exploits this potential vulnerability to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit this potential vulnerability. Additional vulnerabilities have been addressed in this update. Adobe recommends users update to the most current version of Flash Player available for their platform.

Affected software versions

Adobe Flash Player 10.0.12.36 and earlier (Adobe Flash Player 10.0.15.3 and earlier for Linux)

To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Solution

Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.159.0, which can be downloaded from the following link.

Severity rating

Adobe categorizes this as a critical update and recommends affected users upgrade to version 10.0.22.87.

Details

This update resolves a buffer overflow issue that could potentially allow an attacker to execute arbitrary code. (CVE-2009-0520)

This update resolves an input validation issue that leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible. (CVE-2009-0519)

An update to the Flash Player settings manager display page on Adobe.com has been deployed to avoid a potential Clickjacking issue variant for Flash Player. The Settings Manager is a special control panel that runs on your local computer but is displayed within and accessed from the Adobe website. (CVE-2009-0114)

This update resolves a Windows-only issue with mouse pointer display that could potentially contribute to a Clickjacking attack. (CVE-2009-0522)

This update prevents a potential Linux-only information disclosure issue in the Flash Player binary that could lead to privilege escalation. (CVE-2009-0521)


References:

Adobe - Security Advisories : APSB09-01 - Flash Player update available to address security vulnerabilities





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

No comments: