Accessibility
Adobe
Sign in Privacy My Adobe

Security bulletin

Security update available for Adobe Flash Player

Release date: February 11, 2010

Last updated: March 5, 2010

Vulnerability identifier: APSB10-06

CVE number: CVE-2010-0186, CVE-2010-0187

Platform: All Platforms

Summary

A critical vulnerability has been identified in Adobe Flash Player version 10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests.

Adobe recommends users of Adobe Flash Player 10.0.42.34 and earlier versions update to Adobe Flash Player 10.0.45.2. Adobe recommends users of Adobe AIR version 1.5.3.9120 and earlier versions update to Adobe AIR 1.5.3.9130.

Affected software versions

Adobe Flash Player 10.0.42.34 and earlier versions
Adobe AIR 1.5.3.9120 and earlier versions

To verify the Adobe Flash Player version number installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

To verify the Adobe AIR version number installed on your system, access the Adobe AIR TechNote for instructions.

Solution

Adobe Flash Player
Adobe recommends all users of Adobe Flash Player 10.0.42.34 and earlier versions upgrade to the newest version 10.0.45.2 by downloading it from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted.

Adobe AIR
Adobe recommends all users of Adobe AIR version 1.5.3.9120 and earlier update to the newest version 1.5.3.9130 by downloading it from the Adobe AIR Download Center.

Severity rating

Adobe categorizes this as a critical update and recommends affected users update their installations to the newest versions.

Details

A critical vulnerability has been identified in Adobe Flash Player version 10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. This update also resolves a potential Denial of Service issue (CVE-2010-0187).

Adobe recommends users of Adobe Flash Player 10.0.42.34 and earlier versions update to Adobe Flash Player 10.0.45.2. Adobe recommends users of Adobe AIR version 1.5.3.9120 and earlier versions update to Adobe AIR 1.5.3.9130.

Affected software

Recommended player update

Availability

Flash Player 10.0.42.34 and earlier

10.0.45.2

Flash Player Download Center

Flash Player 10.0.42.34 and earlier - network distribution

10.0.45.2

Flash Player Licensing

Flash Player 10.0.42.34 and earlier for Linux

10.0.45.2

Flash Player Download Center

AIR 1.5.3.9120

AIR 1.5.3.9130

AIR Download Center

Flash CS4 Professional

10.0.45.2

Adobe Flash Player 10 Update for Flash CS4 Professional

Flash CS3 Professional

9.0.262

Flash Debug Player Updater

Flex 3

10.0.45.2

Flash Debug Player Updater

 

Note: The Adobe Flash Player 10.1 release, expected in the first half of 2010, will be the last version to support Macintosh PowerPC-based G3 computers. Adobe will be discontinuing support of PowerPC-based G3 computers and will no longer provide security updates after the Flash Player 10.1 release. This unavailability is due to performance enhancements that cannot be supported on the older PowerPC architecture.

Note: The Adobe AIR 2 release, expected in the first half of 2010, will not support Macintosh PowerPC-based computers and the Windows 2000 operating system. Adobe will be discontinuing support of PowerPC-based computers and the Windows 2000 operating system for Adobe AIR and will no longer provide security updates for Adobe AIR on these operating systems.

Acknowledgments

Adobe would like to thank Michael Yong Park for reporting the relevant issue (CVE-2010-0186) and for working with Adobe to help protect our customers.

Revisions

March 5, 2010 - Bulletin updated with Note in Details section regarding Adobe AIR 2 release information.
February 12, 2010 - Bulletin updated with corrected version numbers for AIR.
February 11, 2010 - Bulletin released.