===================================================================== CERT-Renater Note d'Information No. 2008/VULN604 _____________________________________________________________________ DATE : 18/12/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Linux Flash Player. ====================================================================== http://www.adobe.com/support/security/bulletins/apsb08-24.html ______________________________________________________________________ Security update available for Linux Flash Player 10.0.12.36 and Linux Flash Player 9.0.151.0 Release date: December 17, 2008 Vulnerability identifier: APSB08-24 CVE number: CVE-2008-5499 Platform: Linux Summary A critical vulnerability has been identified in Adobe Flash Player for Linux 10.0.12.36, Adobe Flash Player for Linux 9.0.151.0 and earlier that could allow an attacker who successfully exploits this potential vulnerability to take control of the affected system. A specially formed SWF must be loaded in Flash Player for Linux by the user for an attacker to exploit this potential vulnerability. Affected software versions Adobe Flash Player for Linux 10.0.12.36 and Adobe Flash Player for Linux 9.0.151.0 and earlier. To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system. Solution Adobe recommends all users of Flash Player for Linux 10.0.12.36 and Flash Player for Linux 9.0.151.0 and earlier versions upgrade to the newest version 10.0.15.3 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted. For users who cannot update to Flash Player for Linux 10.0.15.3, Adobe has developed a patched version, Flash Player for Linux 9.0.152.0, which can be downloaded from the following link. Severity rating Adobe categorizes this as a critical update and recommends affected users upgrade to version 10.0.15.3. Details A critical vulnerability has been identified in the Adobe Flash Player for Linux 10.0.12.36, Adobe Flash Player for Linux 9.0.151.0 and earlier that could allow an attacker who successfully exploits this potential vulnerability to take control of the affected system. A specially formed SWF must be loaded in Flash Player by the user for an attacker to exploit this potential vulnerability. This issue is remotely exploitable. This issue does not affect Adobe Flash Player for Mac or Windows. Affected software Recommended player update Availability Flash Player for Linux 10.0.12.36 10.0.15.3 Player Download Center Flash Player for Linux 9.0.151.0 and earlier users who cannot upgrade to Flash Player 10.0.15.3 9.0.152.0 Flash Player 9 for Unsupported Operating Systems TechNote Flash Player for Linux 10.0.12.35 or 9.0.151.0 and earlier - network distribution 10.0.15.3 Player Licensing ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================