MA-204.122009: MyCERT Alert - Multiple Critical Vulnerabilities in Adobe Flash Player

1.0 Introduction

Multiple critical vulnerabilities have been identified in the current versions of Adobe Flash Player 10.0.32.18 and earlier versions for all operating systems.

These vulnerabilities allow remote attacker to execute arbitrary code on vulnerable version of Adobe Flash Player. User interaction is required in that a user must visit a malicious web site that embedded with a specially crafted flash file. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.

2.0 Impact

By exploiting this vulnerability, an attacker could execute arbitrary code on vulnerable installations of Adobe Flash Player and gain the same privilege as the user. This vulnerability could be exploited to install malware on the user's computer.

3.0 Affected Products

Products listed below are vulnerable to this vulnerability:

• Adobe Flash Player 10.0.32.18 and earlier versions

4.0 Recommendation

MyCERT recommends users of Adobe Flash Player 10.0.32.18 and earlier versions to upgrade to the newest version 10.0.42.34. The update can be obtained from the following URL: http://get.adobe.com/flashplayer/

For those who are able to perform the update, MyCERT highly recommend to disable or block the flash content in the browser:

• For Internet Explorer user, download and install Toggle Flash plugin http://flash.melameth.com and allow or unblock Flash content only trusted site.
  
  
• For Mozilla Firefox user, download and install FlashBlock plugin from http://flashblock.mozdev.org/ and allow or unblock Flash content only trusted site.

MyCERT generally advise users of this product to keep themselves updated with the latest security announcements by the vendor. In case of public received any suspicious URL or SWF and required our further analysis, please reach us at information below:

E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

• http://blogs.adobe.com/psirt/2009/12/pre-notification_-_security_up.html
• http://www.adobe.com/support/security/bulletins/apsb09-19.html
• http://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/646/index.html