=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN366
_____________________________________________________________________

DATE                      : 21/09/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Adobe Flash Player versions
                             prior to 10.1.85.3, 10.1.95.1, 9.0.283,
                             Adobe Reader, Adobe Acrobat,
                             Google Chrome versions prior to 6.0.472.62.

======================================================================
http://www.adobe.com/support/security/bulletins/apsb10-22.html
______________________________________________________________________
	
Security update available for Adobe Flash Player

Release date: September 20, 2010

Vulnerability identifier: APSB10-22

CVE number: CVE-2010-2884

Platform: All Platforms
Summary

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and
earlier versions for Windows, Macintosh, Linux, and Solaris, and
Adobe Flash Player 10.1.92.10 for Android. This vulnerability also
affects Adobe Reader 9.3.4 and earlier versions for Windows,
Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions
for Windows and Macintosh. This vulnerability (CVE-2010-2884)
could cause a crash and potentially allow an attacker to take
control of the affected system. There are reports that this
vulnerability is being actively exploited in the wild against
Adobe Flash Player on Windows. Adobe is not aware of any attacks
exploiting this vulnerability against Adobe Reader or Acrobat to date.

Adobe recommends users of Adobe Flash Player 10.1.82.76 and
earlier versions for Windows, Macintosh, Linux, and Solaris
update to Adobe Flash Player 10.1.85.3, and users of
Adobe Flash Player 10.1.92.10 for Android update to
Adobe Flash Player 10.1.95.1.

Affected software versions

Adobe Flash Player 10.1.82.76 and earlier versions for Windows,
Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.92.10
for Android.

To verify the version of Adobe Flash Player installed on your
system, access the About Flash Player page, or right-click on
content running in Flash Player and select "About Adobe
(or Macromedia) Flash Player" from the menu. If you use multiple
browsers, perform the check for each browser you have installed
on your system.


Solution

Adobe recommends all users of Adobe Flash Player 10.1.82.76 and
earlier versions upgrade to the newest version 10.1.85.3 by
downloading it from the Adobe Flash Player Download Center or
by installing it via the auto-update mechanism within the
product when prompted.

Users of Flash Player for Android version 10.1.92.10 and earlier
can update to Flash Player version 10.1.95.1 by browsing to the
Android Marketplace on an Android phone.

For users who cannot update to Flash Player 10.1.85.3, Adobe has
developed a patched version of Flash Player 9, Flash Player 9.0.283,
which can be downloaded here.


Severity rating

Adobe categorizes this as a critical update and recommends affected
users update their installations to the newest versions.


Details

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and
earlier versions for Windows, Macintosh, Linux, and Solaris, and
Adobe Flash Player 10.1.92.10 for Android. This vulnerability also
affects Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh
and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and
Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and
potentially allow an attacker to take control of the affected system.
There are reports that this vulnerability is being actively exploited
in the wild against Adobe Flash Player on Windows. Adobe is not aware
of any attacks exploiting this vulnerability against Adobe Reader or
Acrobat to date.

Adobe recommends users of Adobe Flash Player 10.1.82.76 and earlier
versions for Windows, Macintosh, Linux, and Solaris update to
Adobe Flash Player 10.1.85.3, and users of
Adobe Flash Player 10.1.92.10 for Android update to
Adobe Flash Player 10.1.95.1.

We expect to provide updates for Adobe Reader 9.3.4 for Windows,
Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh
during the week of October 4, 2010.

Google Chrome users can update to Chrome 6.0.472.62. To verify your
current Chrome version number and update if necessary, follow the
instructions here:
http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414.


Acknowledgments

Adobe would like to thank Bo Qu of Palo Alto Networks for reporting
the relevant issue and for working with Adobe to help protect our
customers.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================