Accessibility
Adobe
Sign in Privacy My Adobe

Security bulletin

Additional disclosure of security vulnerabilities fixed in Flash Player 10.0.12.36 and Flash Player 9.0.151.0

Release date: November 17, 2008

Vulnerability identifier: APSB08-22

CVE number: CVE-2008-4824, CVE-2008-5361, CVE-2008-5362, CVE-2008-5363

Platform: All Platforms

Summary

Critical vulnerabilities were identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities.

The updates to Flash Player 10.0.12.36 and Flash Player 9.0.151.0 address the issues outlined in this Security Bulletin as well as the issues previously reported in Security Bulletins APSB08-18 and APSB08-20.

The vulnerabilities outlined in this bulletin were not previously disclosed; however they were addressed with the most recent Flash Player updates, which have been available to users since the posting of the previous Security Bulletins APSB08-18 and APSB08-20. Therefore no update is required for customers who have already updated to Flash Player 10.0.12.36 or Flash Player 9.0.151.0.

Adobe AIR customers should update to Adobe AIR 1.5.

Affected software versions

Adobe Flash Player 9.0.124.0 and earlier.

To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Solution

Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to the newest version 10.0.12.36 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.151.0, which can be downloaded from the following link.

Adobe AIR customers should update to Adobe AIR 1.5.

Severity rating

Adobe categorizes this as a critical update and recommends affected users upgrade to version 10.0.12.36.

Details

In addition to the issues previously reported in Security Bulletins APSB08-18 and APSB08-20, the Flash Player 10.0.12.36 and Flash Player 9.0.151.0 updates address multiple input validation errors that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player.

No Flash Player update is required for customers who have already updated to Flash Player 10.0.12.36 or Flash Player 9.0.151.0. Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to the newest version 10.0.12.36 by downloading it from the Player Download Center. Adobe AIR customers should update to Adobe AIR 1.5.

Affected software Recommended player update Availability
Flash Player 9.0.124.0 and earlier 10.0.12.36 Player Download Center
Flash Player 9.0.124.0 and earlier - network distribution 10.0.12.36 Player Licensing
Flash Player 9.0.124.0 and earlier for Linux 10.0.12.36 Player Download Center
AIR 1.1 AIR 1.5 AIR Download Center
Flash CS4 Professional 10.0.12.36 Adobe Flash Player 10 Update for Flash CS4 Professional
Flash CS3 Professional 9.0.151.0 Adobe Flash Player 9 Update for Flash CS3 Professional
Flex 3 10.0.12.36 Flash Debug Player Updater

Acknowledgments

Adobe would like to thank Riley Hassell and Josh Zelonis of iSEC Partners for reporting these issues and for working with Adobe to help protect our customers' security.