HOME > ADVISORIES


   ADVISORY

 

CERT-In Advisory CIAD-2010-11
Multiple Vulnerabilities in Adobe Flash player and AIR

Original Issue Date: February 18, 2010

Severity Rating:High

System Affected

  • Adobe Flash Player 10.0.42.34 and prior versions
  • Adobe AIR 1.5.3.9120 and prior versions

Overview

Multiple vulnerabilities have been reported in Adobe Flash Player and Adobe AIR, which could allow remote attackers to bypass certain security restrictions, conduct cross-domain request attacks or cause denial of service condition.

Description

Adobe Integrated Runtime (AIR) is a cross-platform runtime environment for building rich Internet applications using Adobe Flash, HTML, or Ajax, that can be deployed as a desktop application.

1. Adobe Flash Player and AIR Cross Domain Scripting     Vulnerability (CVE-2010-0186)

This vulnerability is caused due to an unspecified error while enforcing cross-domain restrictions in Adobe Flash Player and Adobe AIR. A remote attacker could exploit this vulnerability via a specially crafted content to bypass domain sandbox limitations and perform unauthorized cross-domain requests.

Successful exploitation of this vulnerability could allow a remote attacker to bypass the same-origin policy and obtain potentially sensitive information or launch spoofing attacks against other sites.

2. Adobe Flash Player and AIR Denial of Service Vulnerability     (CVE-2010-0187)

This vulnerability is caused due to an unspecified error in Adobe Flash Player and Adobe AIR . A remote attacker could exploit this vulnerability by tricking a user into opening a specially crafted SWF file to cause denial of service condition.

Solution

Apply appropriate patches as mentioned in Adobe Security Bulletin

Vendor Information

Adobe
http://www.adobe.com/support/security/bulletins/apsb10-06.html

References

Adobe
http://www.adobe.com/support/security/bulletins/apsb10-06.html

SecurityFocus
http://www.securityfocus.com/bid/38198
http://www.securityfocus.com/bid/38200

Secunia
http://secunia.com/advisories/38547/

VUPEN Security
http://www.vupen.com/english/advisories/2010/0373

SecurityTracker
http://securitytracker.com/alerts/2010/Feb/1023586.html
http://securitytracker.com/alerts/2010/Feb/1023585.html

Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=563819
https://bugzilla.redhat.com/show_bug.cgi?id=564287

CVE Name
CVE-2010-0186
CVE-2010-0187

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003