Technical Cyber Alert - Adobe Flash and Air Vulnerabilities

Prev: You do understand
Next: Sysinternals Tools - Process Explorer 12.04, Autoruns10.0, Sigcheck 1.7, ProcDump 1.8

From: Nicetameetya on 11 Jun 2010 21:55

---

National Cyber Alert System

Technical Cyber Security Alert TA10-162A


Adobe Flash and AIR Vulnerabilities

Original release date: June 11, 2010
Last revised: --
Source: US-CERT


Systems Affected

* Adobe Flash Player 10.0.45.2 and earlier 10.x versions
* Adobe Flash Player 9.0.262 and earlier 9.x versions
* Adobe AIR 1.5.3.9130 and earlier versions

Other Adobe products that support Flash may also be vulnerable.


Overview

According to Adobe Security Bulletin APSB10-14, there are
vulnerabilities in Adobe Flash and AIR. These vulnerabilities
affect Flash Player, AIR, and possibly other products that support
Flash. A remote attacker could exploit these vulnerabilities to
execute arbitrary code.


I. Description

Adobe Security Bulletin APSB10-14 describes vulnerabilities in
Adobe Flash that affects Flash Player and AIR. It may also affect
other products that independently support Flash, such as Adobe
Reader, Acrobat, Photoshop, Photoshop Lightroom, Freehand MX, and
Fireworks.

An attacker could exploit these vulnerabilities by convincing a
user to open specially crafted Flash content. Flash content is
commonly hosted on a web page, but it can also be embedded in a PDF
and other documents or provided as a stand-alone file.

One of these vulnerabilities, CVE-2010-1297, is being exploited
against Flash Player, Adobe Reader, and Acrobat. Additional
information about CVE-2010-1297 is available in US-CERT Technical
Cyber Security Alert TA10-159A and US-CERT Vulnerability Note
VU#486225.


II. Impact

If a user opens specially crafted Flash content, a remote attacker
may be able to execute arbitrary code.


III. Solution

Update Flash and AIR

Adobe Security Bulletin APSB10-14 recommends updating to Flash
Player 10.1.53.64 or 9.0.277.0 and AIR to 2.0.2.12610. This will
update the Flash web browser plug-in and ActiveX control and AIR,
but will not update Flash support in Adobe Reader, Acrobat, or
other products.

To reduce your exposure to these and other Flash vulnerabilities,
consider the following mitigation technique.

Disable Flash in your web browser

Uninstall Flash or restrict which sites are allowed to run Flash.
To the extent possible, only run trusted Flash content on trusted
domains. For more information, see Securing Your Web Browser.


IV. References

* Adobe Security Bulletin APSB10-14 -
<http://www.adobe.com/support/security/bulletins/apsb10-14.html>

* Technical Cyber Security Alert TA10-159A -
<http://www.us-cert.gov/cas/techalerts/TA10-159A.html>

* US-CERT Vulnerability Report VU#486225 -
<http://www.kb.cert.org/vuls/id/486225>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>

* CVE-2010-1297 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA10-162A.html>

From: Craig on 12 Jun 2010 00:38

---

On 06/11/2010 06:55 PM, Nicetameetya wrote:

That's odd. The cyber alert I rec'd was a bit different....
>
> Overview
>
> Here we go again
>
>
> I. Description
>
> Products which are bloated & leaky, like your morbidly obese
> uncle Roscoe after his colostomy
>
> II. Impact
>
> More admin'ing, less computing
>
>
> III. Solution
>
> HTML5
>
>
> IV. References
>
> * HTML5 Overview
> <http://dev.w3.org/html5/spec/Overview.html>
>
> * Latest HTML5 Draft Specification
> <http://www.w3.org/TR/html5/>
>
> * Adobe accused of blocking HTML5 spec-
> <http://www.geek.com/articles/chips/adobe-responds-to-accusations-of-blocking-html5-spec-to-protect-flash-20100215/>
>
--
-Craig

From: John Corliss on 12 Jun 2010 05:09

---

Nicetameetya wrote:
>
>
> National Cyber Alert System
>
> Technical Cyber Security Alert TA10-162A
>
>
> Adobe Flash and AIR Vulnerabilities
>
> Original release date: June 11, 2010
> Last revised: --
> Source: US-CERT
>
>
> Systems Affected
>
> * Adobe Flash Player 10.0.45.2 and earlier 10.x versions
> * Adobe Flash Player 9.0.262 and earlier 9.x versions
> * Adobe AIR 1.5.3.9130 and earlier versions (snip)

So... I just updated Adobe Flash Player to the latest version. As I did
so, I noticed that the plugin at some point was named "Adobe Flash
Powered by getPlus+(R)". After the installation, the name listed in the
Firefox Plugin list is simply "Shockwave Flash".

I also noticed that there is now a new third party extension listed
named "Adobe DLM (powered by getPlus (R)".

You might say that it's not a third party extension because it has
"Adobe" in its name, but I checked my firewall's rules and it's just
named "getPlus+(R)".

This is entirely unacceptable. To me, it looks like Adobe came up with a
scare tactic to get users of Flash to install this "getPlus+(R)" POS, so
I just removed that third party extension.

Maybe Adobe is scrambling to make some kind of change to Flash Player
which will make it necessary even if you're using an HTML5 capable
browser? I don't know. All I know is that I've been sick and tired of
Flash and its invasive bullshit for a long time.

--
John Corliss BS206. Because of all the Googlespam, I block all posts
sent through Google Groups. I also block as many posts from anonymous
remailers (like x-privat.org for eg.) as possible due to forgeries
posted through them.

No ad, CD, commercial, cripple, demo, nag, share, spy, time-limited,
trial or web wares OR warez for me, please. Adobe Flash sucks, DivX rules.

From: John Corliss on 12 Jun 2010 05:11

---

John Corliss wrote:
> Nicetameetya wrote:
>>
>>
>> National Cyber Alert System
>>
>> Technical Cyber Security Alert TA10-162A
>>
>>
>> Adobe Flash and AIR Vulnerabilities
>>
>> Original release date: June 11, 2010
>> Last revised: --
>> Source: US-CERT
>>
>>
>> Systems Affected
>>
>> * Adobe Flash Player 10.0.45.2 and earlier 10.x versions
>> * Adobe Flash Player 9.0.262 and earlier 9.x versions
>> * Adobe AIR 1.5.3.9130 and earlier versions (snip)
>
> So... I just updated Adobe Flash Player to the latest version. As I did
> so, I noticed that the plugin at some point was named "Adobe Flash
> Powered by getPlus+(R)". After the installation, the name listed in the
> Firefox Plugin list is simply "Shockwave Flash".
>
> I also noticed that there is now a new third party extension listed
> named "Adobe DLM (powered by getPlus (R)".
>
> You might say that it's not a third party extension because it has
> "Adobe" in its name, but I checked my firewall's rules and it's just
> named "getPlus+(R)".
>
> This is entirely unacceptable. To me, it looks like Adobe came up with a
> scare tactic to get users of Flash to install this "getPlus+(R)" POS, so
> I just removed that third party extension.
>
> Maybe Adobe is scrambling to make some kind of change to Flash Player
> which will make it necessary even if you're using an HTML5 capable
> browser? I don't know. All I know is that I've been sick and tired of
> Flash and its invasive bullshit for a long time.

And yes, I know that the "DLM" in the 3rd party extension name stands
for "DownLoad Manager". I'll take my chances and do without it.

--
John Corliss BS206. Because of all the Googlespam, I block all posts
sent through Google Groups. I also block as many posts from anonymous
remailers (like x-privat.org for eg.) as possible due to forgeries
posted through them.

No ad, CD, commercial, cripple, demo, nag, share, spy, time-limited,
trial or web wares OR warez for me, please. Adobe Flash sucks, DivX rules.

From: Gordon Darling on 12 Jun 2010 05:24

---

On Sat, 12 Jun 2010 02:11:25 -0700, John Corliss wrote:

<snip>

> And yes, I know that the "DLM" in the 3rd party extension name stands
> for "DownLoad Manager". I'll take my chances and do without it.

Adobe Forum discussion

http://forums.adobe.com/thread/449779

Regards
Gordon





--
ox·y·mo·ron
n. pl. ox·y·mo·ra or ox·y·mo·rons
A rhetorical figure in which incongruous or contradictory terms are
combined, as in Microsoft Security, Microsoft Help and Microsoft Works.

 |  Next  |  Last
Pages: 1 2
Prev: You do understand
Next: Sysinternals Tools - Process Explorer 12.04, Autoruns10.0, Sigcheck 1.7, ProcDump 1.8