=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN528
_____________________________________________________________________

DATE                      : 18/11/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Flash Player.

======================================================================
http://www.adobe.com/support/security/bulletins/apsb08-22.html
______________________________________________________________________

Additional disclosure of security vulnerabilities fixed in Flash Player
10.0.12.36 and Flash Player 9.0.151.0

Release date: November 17, 2008

Vulnerability identifier: APSB08-22

CVE number: CVE-2008-4824

Platform: All Platforms
Summary

Critical vulnerabilities were identified in Adobe Flash Player 9.0.124.0
and earlier that could allow an attacker who successfully exploits these
potential vulnerabilities to take control of the affected system. A
malicious SWF must be loaded in Flash Player by the user for an attacker
to exploit these potential vulnerabilities.

The updates to Flash Player 10.0.12.36 and Flash Player 9.0.151.0 address
the issues outlined in this Security Bulletin as well as the issues
previously reported in Security Bulletins APSB08-18 and APSB08-20.

The vulnerabilities outlined in this bulletin were not previously disclosed;
however they were addressed with the most recent Flash Player updates, which
have been available to users since the posting of the previous Security
Bulletins APSB08-18 and APSB08-20. Therefore no update is required for
customers who have already updated to Flash Player 10.0.12.36 or Flash
Player 9.0.151.0.

Adobe AIR customers should update to Adobe AIR 1.5.
Affected software versions

Adobe Flash Player 9.0.124.0 and earlier.

To verify the Adobe Flash Player version number, access the About Flash
Player page, or right-click on Flash content and select “About Adobe
(or Macromedia) Flash Player” from the menu. If you use multiple browsers,
perform the check for each browser you have installed on your system.
Solution

Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier
versions upgrade to the newest version 10.0.12.36 by downloading it
from the Player Download Center, or by using the auto-update mechanism
within the product when prompted.

For users who cannot update to Flash Player 10, Adobe has developed a
patched version of Flash Player 9, Flash Player 9.0.151.0, which can
be downloaded from the following link.

Adobe AIR customers should update to Adobe AIR 1.5.
Severity rating

Adobe categorizes this as a critical update and recommends affected
users upgrade to version 10.0.12.36.
Details

In addition to the issues previously reported in Security Bulletins
APSB08-18 and APSB08-20, the Flash Player 10.0.12.36 and Flash Player
9.0.151.0 updates address multiple input validation errors that could
lead to the potential execution of arbitrary code. These vulnerabilities
could be accessed through content delivered from a remote location via
the user’s web browser, email client, or other applications that include
or reference the Flash Player.

No Flash Player update is required for customers who have already updated
to Flash Player 10.0.12.36 or Flash Player 9.0.151.0. Adobe recommends
all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to
the newest version 10.0.12.36 by downloading it from the Player Download
Center. Adobe AIR customers should update to Adobe AIR 1.5.


Affected software Recommended player update 	Availability

Flash Player 9.0.124.0
and earlier         	10.0.12.36      Player Download Center

Flash Player 9.0.124.0
and earlier - network
distribution          	10.0.12.36      Player Licensing

Flash Player 9.0.124.0
and earlier for Linux   10.0.12.36      Player Download Center

AIR 1.1                 AIR 1.5         AIR Download Center

Flash CS4 Professional  10.0.12.36      Adobe Flash Player 10 Update
                                         for Flash CS4 Professional

Flash CS3 Professional  9.0.151.0       Adobe Flash Player 9 Update
                                        for Flash CS3 Professional

Flex 3                  10.0.12.36      Flash Debug Player Updater


Acknowledgments

Adobe would like to thank Riley Hassell and Josh Zelonis of iSEC
Partners for reporting these issues and for working with Adobe to
help protect our customers' security.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================