=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN304
_____________________________________________________________________

DATE                      : 31/07/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Adobe Flash Player.

======================================================================
http://www.adobe.com/support/security/bulletins/apsb09-10.html
______________________________________________________________________

Security updates available for Adobe Flash Player

Release date: July 30, 2009

Vulnerability identifier: APSB09-10

CVE number: CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493,
CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867,
CVE-2009-1868, CVE-2009-1869, CVE-2009-1870

Platform: All Platforms


Summary

Critical vulnerabilities have been identified in the current versions
of Adobe Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh
and Linux operating systems. These vulnerabilities could cause the application
to crash and could potentially allow an attacker to take control of the
affected system.

We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows,
Macintosh and UNIX by July 31, 2009.  This bulletin will be updated to reflect
their availability on that date.  (The update for Adobe Flash Player v9
and v10 for Solaris is still pending.)

Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier
versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18.  Adobe
recommends users of Adobe AIR version 1.5.1 and earlier versions update
*to Adobe AIR 1.5.2.


Affected software versions

Adobe Flash Player 9.0.159.0 and 10.0.22.87 and earlier 9.x and 10.x versions

To verify the Adobe Flash Player version number, access the About Flash Player
page, or right-click on Flash content and select “About Adobe (or Macromedia)
Flash Player” from the menu. If you use multiple browsers, perform the check
for each browser you have installed on your system.

Adobe AIR 1.5.1 and earlier versions


Solution

Adobe Flash Player

Adobe recommends all users of Adobe Flash Player 10.0.22.87 and earlier
versions upgrade to the newest version 10.0.32.18 by downloading it from
the Player Download Center, or by using the auto-update mechanism within
the product when prompted.

For users who cannot update to Adobe Flash Player 10, Adobe has developed
a patched version of Adobe Flash Player 9, Adobe Flash Player 9.0.246.0,
which can be downloaded from the following link:
http://www.adobe.com/products/flashplayer/fp_distribution3.html.

Adobe AIR

Adobe recommends all users of Adobe AIR version 1.5.1 and earlier update
to the newest version 1.5.2 by downloading it from the Adobe AIR Download
Center.


Severity rating

Adobe categorizes these as critical issues and recommends affected users
patch their installations.


Details

Critical vulnerabilities have been identified in the current versions of
Adobe Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and
Linux operating systems. These vulnerabilities could cause the application
to crash and could potentially allow an attacker to take control of the
affected system.

We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for
Windows, Macintosh and UNIX by July 31, 2009.  This bulletin will be
updated to reflect their availability on that date.  (The update for
Adobe Flash Player v9 and v10 for Solaris is still pending.)

Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier
versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18.
Adobe recommends users of Adobe AIR version 1.5.1 and earlier versions
update to Adobe AIR 1.5.2.

The update for Adobe Flash Player and Adobe AIR, Adobe Reader and Acrobat
resolves a memory corruption vulnerability that could potentially lead to
code execution (CVE-2009-1862).

The update for Adobe Flash Player resolves the vulnerable version of
the Microsoft Active Template Library (ATL) described in
Microsoft Security Advisory (973882).  This vulnerability could allow
an attacker who successfully exploits the vulnerability to take control
of the affected system (CVE-2009-0901, CVE-2009-2395, CVE-2009-2493).

The update for Adobe Flash Player and Adobe AIR resolves the privilege
escalation vulnerability that could potentially lead to code execution
(CVE-2009-1863).

The update for Adobe Flash Player and Adobe AIR resolves the heap overflow
vulnerability that could potentially lead to code execution (CVE-2009-1864).

The update for Adobe Flash Player and Adobe AIR resolves the null pointer
vulnerability that could potentially lead to code execution (CVE-2009-1865).

The update for Adobe Flash Player and Adobe AIR resolves the stack overflow
vulnerability that could potentially lead to code execution (CVE-2009-1866).

The update for Adobe Flash Player and Adobe AIR resolves a clickjacking
vulnerability that could allow an attacker to lure a web browser user into
unknowingly clicking on a link or dialog (CVE-2009-1867).

The update for Adobe Flash Player and Adobe AIR resolves the URL parsing
heap overflow vulnerability that could potentially lead to code execution
(CVE-2009-1868).

The update for Adobe Flash Player and Adobe AIR resolves the integer overflow
vulnerability that could potentially lead to code execution (CVE-2009-1869).

The update for Adobe Flash Player and Adobe AIR resolves a local sandbox
vulnerability that could potentially lead to information disclosure when
SWFs are saved to the hard drive (CVE-2009-1870).


Acknowledgments

Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect
our customers’ security:

    * lakehu of Tencent Security Center (CVE-2009-1862)
    * David Dewey of IBM ISS X-Force , Ryan Smith of VeriSign iDefense Labs
, and Microsoft Vulnerability Research Program (MSVR) (CVE-2009-0901,
CVE-2009-2395, CVE-2009-2493)
    * Mike Wroe (CVE-2009-1863)
    * iDefense (CVE-2009-1864, CVE-2009-1868)
    * Chen Chen of Venustech (CVE-2009-1865, CVE-2009-1866)
    * Joran Benker (CVE-2009-1867)
    * Roee Hay of IBM Rational Application Security (CVE-2009-1869)
    * Microsoft Vulnerability Research Program (MSVR) (CVE-2009-1870)



======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================