Accessibility

Security bulletin

Security updates available for Adobe Flash Player, Adobe Reader and Acrobat

Release date: July 30, 2009

Last updated: September 9, 2009

Vulnerability identifier: APSB09-10

CVE number: CVE-2009-1862, CVE-2009-0901, CVE-2009-2495, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870

Platform: All Platforms

Summary

Critical vulnerabilities have been identified in the current versions of Adobe Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18.  Adobe recommends users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2. Adobe recommends users of Adobe Reader 9 and Acrobat 9 and earlier versions update to Adobe Reader 9.1.3 and Acrobat 9.1.3.

Note: As a result of this out-of-cycle Adobe Reader and Acrobat update, Adobe is planning its next quarterly security update for Adobe Reader and Acrobat for Tuesday, October 13.

Affected software versions

Adobe Flash Player 9.0.159.0 and 10.0.22.87 and earlier 9.x and 10.x versions

To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Adobe AIR 1.5.1 and earlier versions

Adobe Reader and Acrobat 9.1.2 and earlier 9.x versions

Solution

Adobe Flash Player

Adobe recommends all users of Adobe Flash Player 10.0.22.87 and earlier versions upgrade to the newest version 10.0.32.18 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

For users who cannot update to Adobe Flash Player 10, Adobe has developed a patched version of Adobe Flash Player 9, Adobe Flash Player 9.0.246.0, which can be downloaded from the following link: http://www.adobe.com/support/flashplayer/downloads.html#fp9.

Adobe AIR

Adobe recommends all users of Adobe AIR version 1.5.1 and earlier update to the newest version 1.5.2 by downloading it from the Adobe AIR Download Center, or by using the auto-update mechanism within the product when prompted.

Adobe Reader

Users who download the full 9.1 installer from http://get.adobe.com/reader/ will be offered the Adobe Reader 9.1.3 patch by the Adobe Updater technology on first launch. Users can also click "Help > Check for Updates" to be sure their installation is fully patched and up-to-date. Alternately, users can manually apply the 9.1.3 update via the Product updates section of our web site.

Adobe Reader users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on UNIX can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix.

Acrobat

Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.

Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.

Severity rating

Adobe categorizes these as critical issues and recommends affected users patch their installations.

Details

Critical vulnerabilities have been identified in the current versions of Adobe Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18.  Adobe recommends users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2. Adobe recommends users of Adobe Reader 9 and Acrobat 9 and earlier versions update to Adobe Reader 9.1.3 and Acrobat 9.1.3.

The update for Adobe Flash Player and Adobe AIR, Adobe Reader and Acrobat resolves a memory corruption vulnerability that could potentially lead to code execution (CVE-2009-1862).

The update for Adobe Flash Player resolves the vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882).  This vulnerability could allow an attacker who successfully exploits the vulnerability to take control of the affected system (CVE-2009-0901, CVE-2009-2495, CVE-2009-2493).

The update for Adobe Flash Player resolves a privilege escalation vulnerability that could allow someone with desktop access to gain administrative privileges on the Macintosh operating system (CVE-2009-1863).

The update for Adobe Flash Player and Adobe AIR resolves the heap overflow vulnerability that could potentially lead to code execution (CVE-2009-1864).

The update for Adobe Flash Player and Adobe AIR resolves the null pointer vulnerability that could potentially lead to code execution (CVE-2009-1865).

The update for Adobe Flash Player and Adobe AIR resolves the stack overflow vulnerability that could potentially lead to code execution (CVE-2009-1866).

The update for Adobe Flash Player and Adobe AIR resolves a clickjacking vulnerability that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog (CVE-2009-1867).

The update for Adobe Flash Player and Adobe AIR resolves the URL parsing heap overflow vulnerability that could potentially lead to code execution (CVE-2009-1868).

The update for Adobe Flash Player and Adobe AIR resolves the integer overflow vulnerability that could potentially lead to code execution (CVE-2009-1869).

The update for Adobe Flash Player and Adobe AIR resolves a local sandbox vulnerability that could potentially lead to information disclosure when SWFs are saved to the hard drive (CVE-2009-1870).

Affected software

Recommended update

Availability

Flash Player 10.0.22.87 and earlier

10.0.32.18

Player Download Center

Flash Player 10.0.22.87 and earlier - network distribution

10.0.32.18

Player Licensing

Flash Player 10.0.22.87 and earlier for Linux

10.0.32.18

Player Download Center

Adobe Reader 9.1.2 and earlier - Windows

Adobe Reader 9.1.3

Adobe Reader 9.1.2 and earlier - Macintosh

Adobe Reader 9.1.3

Adobe Reader 9.1.2 and earlier - Unix

Adobe Reader 9.1.3

Adobe Acrobat Standard and Pro 9.1.2 and earlier - Windows

Acrobat 9.1.3

Adobe Acrobat Extended 9.1.2 and earlier - Windows

Acrobat 9.1.3

Adobe Acrobat Pro 9.1.2 and earlier - Macintosh

Acrobat 9.1.3

AIR 1.5.1

AIR 1.5.2

AIR Download Center

Flash CS4 Professional

10.0.32.18

Adobe Flash Player 10 Update for Flash CS4 Professional

Flash CS3 Professional

9.0.246.0

Flash Debug Player Updater

Flex 3

10.0.32.18

Flash Debug Player Updater

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers’ security:

Revisions

September 9, 2009 - Bulletin updated with Recommended update table in Details section
August 19, 2009 - Bulletin updated with additional information regarding Adobe AIR.
August 3, 2009 - Bulletin updated, Adobe Flash Player v9 and v10 for Solaris update is available
July 31, 2009 - Bulletin updated with Adobe Reader and Acrobat updates, and correct Adobe Flash Player 9 download link
July 30, 2009 - Bulletin first created