IT Security Office

Alert

[PATCH NOW] Adobe Flash Player update

Posted: 2009-02-27 10:26:00

Summary: Adobe Flash Player contains a vulnerability that could allow a maliciously crafted SWF file to take control of an affected system.

Affected Systems:

Windows systems running Flash Player version 10.0.12.36 and earlier, AIR version 1.5, Flash CS3 and CS4 Professional, and Flex 3. Linux systems running Adobe Flash Player version 10.0.15.3 and earlier are also affected

Please note:

Adobe categorizes this as a critical update and recommends that users upgrade to 10.0.22.87 as soon as possible. Users who cannot upgrade to Flash 10 should apply the Adobe-supplied patch for Flash 9.

Description:

This update resolves a Windows-only issue with mouse pointer display that could potentially contribute to a clickjacking attack. (More on clickjacking: http://en.wikipedia.org/wiki/Clickjacking) In Linux, this update prevents a potential information disclosure issue that could lead to privilege escalation on the affected system.

Solution:

Upgrade to Flash Player version 10.0.22.87. If you have Adobe AIR installed, upgrade it to version 1.5.1. Flash CS3 Professional should be upgraded to version 9.0.159.0.

References:

Adobe Flash 10 update: http://www.adobe.com/go/getflashplayer
Adobe Flash 9 update: http://www.adobe.com/go/kb406791
Adobe AIR update: http://get.adobe.com/air
Version test for Adobe Flash Player: http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_15507

Source:

http://www.adobe.com/support/security/bulletins/apsb09-01.html
http://isc.sans.org/diary.html?storyid=5929

Organization

Projects

Services

Resources

Security Issues

Contact ITSO

Other Security Sites