CIS CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2010-047

DATE(S) ISSUED:
6/11/2010

SUBJECT:
Multiple Vulnerabilities Discovered in Adobe Products

OVERVIEW:

Thirty vulnerabilities have been discovered in Adobe Flash Player and Adobe AIR. Adobe Flash Player is a widely distributed multimedia and application player for Microsoft Windows, Mozilla, and Apple systems. It is used to enhance the user experience when visiting web pages or reading email messages. Adobe AIR is a cross-platform runtime for developing Internet applications on the desktop. These vulnerabilities can be exploited if a user visits a malicious website or opens an email attachment containing Flash media designed to exploit these vulnerabilities.

Successful exploitation of twenty seven of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, the attacker could then install programs; view, change, or delete data; or create new accounts with full privileges. The remaining vulnerabilities could allow an attacker to direct malicious content to a web browser or create  denial of service conditions.

SYSTEMS AFFECTED:

  • Adobe Flash Player 10.0.45.2 and earlier
  • Adobe AIR 1.5.3.9130 and earlier

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
Thirty security vulnerabilities have been identified in Adobe Flash Player and Adobe AIR. These vulnerabilities can be exploited if a user visits a malicious website or opens an email attachment containing a Flash media file designed to trigger these issues. The vulnerabilities are as follows:

  • Fourteen vulnerabilities caused by unspecified Memory Corruption errors could result in remote code-execution.
  • Multiple heap-based buffer-overflow vulnerabilities could result in remote arbitrary code-execution.
  • Three integer-overflow vulnerabilities could result in remote code-execution.
  • Two invalid-pointer vulnerabilities could result in remote arbitrary code-execution.
  • A remote code-execution vulnerability caused by an indexing issue.
  • A remote arbitrary code-execution vulnerability caused by a memory-exhaustion issue.
  • An unspecified buffer-overflow vulnerability resulting in remote code-execution.
  • A remote arbitrary code-execution vulnerability due to a user-after-free condition.
  • A heap-corruption vulnerability could result in remote arbitrary code-execution.
  • A remote code-execution vulnerability due to a pointer memory-corruption issue.
  • A denial-of-service vulnerability affecting Flash Player 9 on unspecified UNIX platforms.
  • A denial-of-service vulnerability affecting unspecified vectors. Remote code-execution has not been ruled out.
  • A URL parsing vulnerability could lead to cross-site scripting attacks and is exploited only through Firefox and Chrome web browsers.

Successful exploitation of these vulnerabilities could allow an attacker to gain the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided by Adobe to vulnerable systems immediately after appropriate testing.
  • Systems running Adobe Flash Player 10.0.45.2 and earlier versions should be updated to version 10.1.53.64. Please note that according to KrebsonSecurity, if you use both Internet Explorer and non-IE browsers, you're going to need to apply this update twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera, or whatever other browser you use.
  • Systems running Adobe AIR 1.5.3.9130 and earlier versions should be updated to version 2.0.2.12610.
  • Do not open email attachments from unknown or un-trusted sources.
  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by attachments and hypertext links contained in emails especially from un-trusted sources.

REFERENCES:
Security Focus:
(Please note that clicking on this link which includes Proof Of Concept code may create a false positive alert by your AV program)
http://www.securityfocus.com/bid/40759

Abode:
http://www.adobe.com/support/security/bulletins/apsb10-14.html

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3793


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2160


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2161


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2162


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2163


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2164


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2165


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2166


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2167


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2169


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2170


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2171


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2172


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2173


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2174


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2175


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2176


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2177


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2178


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2179


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2180


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2181


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2182


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2183


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2184


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2185


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2186


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2187


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2188


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2189

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=871
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=872

KrebsonSecurity:
http://krebsonsecurity.com/