CERT-In Advisory CIAD-2009-10
Multiple Vulnerabilities in Adobe Flash player
Original issue date:
February 25, 2009
Severity Rating: High
Systems Affected
- Adobe Flash Player version 10.0.12.36 and prior
- Adobe Flash Player version 10.0.15.3 and prior for Linux
Overview
Multiple vulnerabilities have been identified in Adobe Flash Player, which could be exploited by attackers to cause a denial of service attack, manipulate certain data, gain sensitive information or compromise a vulnerable system.
Description
1. Update for Clickjacking Attacks (CVE-2009-0114)
An Update has been released for Flash Player settings manager display page on Adobe.com to avoid a potential Clickjacking issue variant. The setting manager is a special control panel runs on local system and displayed within and accessed from Adobe website.
2. Input Validation Vulnerability (CVE-2009-0519)
An Input validation vulnerability has been reported in Adobe Flash Player. This vulnerability is caused due to an unspecified input validation error. Successful exploitation of this vulnerability could allow attackers to cause a denial of service or potentially execute arbitrary code.
3. Invalid Object Reference Vulnerability (CVE-2009-0520)
An invalid object reference vulnerability has been reported in Adobe Flash Player which could allow an attacker to execute arbitrary code with the privileges of currently logged-in user. This vulnerability is caused while processing of Shockwave Flash file, a particular object can be created and deleted with multiple references which points to the object. This vulnerability could be exploited by remote attacker convincing users to load or open specially crafted Flash file, which uses removed reference incorrectly pointing to a deleted object. The invalid object resides in uninitialized memory, which a remote attacker could control to execute arbitrary code.
4. Flash Player information disclosure Vulnerability
(CVE-2009-0521)
Information disclosure vulnerability exists in the Adobe Flash Player, which could allow local attackers to disclose potentially sensitive information that can be used to gain elevated privileges.
This vulnerability affects only Linux versions of Adobe Flash Player.
5. Flash Player mouse pointer display Clickjacking Vulnerability (CVE-2009-0522)
A vulnerability related to mouse pointer display exists in Adobe Flash Player, which could be exploited by attackers to conduct Clickjacking attacks on the systems having the affected version of application.
Non-Windows versions of Adobe Flash Player are not affected by this issue.
Solution
Apply appropriate patches as mentioned in APSB09-01
Vendor Information
Adobe
http://www.adobe.com/support/security/bulletins/apsb09-01.html
References
Adobe
http://www.adobe.com/support/security/bulletins/apsb09-01.html
iDefense Labs
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=773
SecurityTracker
http://www.securitytracker.com/alerts/2009/Feb/1021750.html
VUPEN Security
http://www.vupen.com/english/advisories/2009/0513
CVE Name
CVE-2009-0114
CVE-2009-0519
CVE-2009-0520
CVE-2009-0521
CVE-2009-0522
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
