Accessibility
Adobe
Sign in Privacy My Adobe

Security bulletin

Security update available for Adobe Flash Player

Release date: June 10, 2010

Last updated: June 25, 2010

Vulnerability identifier: APSB10-14

CVE number: CVE-2008-4546, CVE-2009-3793, CVE-2010-1297, CVE-2010-2160, CVE-2010-2161, CVE-2010-2162, CVE-2010-2163, CVE-2010-2164, CVE-2010-2165, CVE-2010-2166, CVE-2010-2167, CVE-2010-2169, CVE-2010-2170, CVE-2010-2171, CVE-2010-2172, CVE-2010-2173, CVE-2010-2174, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2179, CVE-2010-2180, CVE-2010-2181, CVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185, CVE-2010-2186, CVE-2010-2187, CVE-2010-2189

Platform: All Platforms

Summary

Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.45.2 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Flash Player 10.0.45.2 and earlier versions update to Adobe Flash Player 10.1.53.64. Adobe recommends users of Adobe AIR 1.5.3.9130 and earlier versions update to Adobe AIR 2.0.2.12610.

Affected software versions

Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris
Adobe AIR 1.5.3.9130 and earlier versions for Windows, Macintosh and Linux

To verify the Adobe Flash Player version number installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

To verify the Adobe AIR version number installed on your system, access the Adobe AIR TechNote for instructions.

Solution

Adobe Flash Player
Adobe recommends all users of Adobe Flash Player 10.0.45.2 and earlier versions upgrade to the newest version 10.1.53.64 by downloading it from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted.

For users who cannot update to Flash Player 10.1.53.64, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.277.0, which can be downloaded from the following link.

Adobe AIR
Adobe recommends all users of Adobe AIR 1.5.3.9130 and earlier versions update to the newest version 2.0.2.12610 by downloading it from the Adobe AIR Download Center.

Severity rating

Adobe categorizes this as a critical update and recommends affected users update their installations to the newest versions.

Details

Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.45.2 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1297).
Note: There are reports that this issue is being actively exploited in the wild.

This update resolves a memory exhaustion vulnerability that could lead to code execution (CVE-2009-3793).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2160).

This update resolves an indexing vulnerability that could lead to code execution (CVE-2010-2161).

This update resolves a heap corruption vulnerability that could lead to code execution (CVE-2010-2162).

This update resolves multiple vulnerabilities that could lead to code execution (CVE-2010-2163).

This update resolves a use after free vulnerability that could lead to code execution (CVE-2010-2164).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2165).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2166).

This update resolves multiple heap overflow vulnerabilities that could lead to code execution (CVE-2010-2167).

This update resolves a pointer memory corruption that could lead to code execution (CVE-2010-2169).

This update resolves an integer overflow vulnerability that could lead to code execution (CVE-2010-2170).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2171).

This update resolves a denial of service issue on some UNIX platforms (Flash Player 9 only) (CVE-2010-2172).

This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2173).

This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2174).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2175).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2176).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2177).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2178).

This update resolves a URL parsing vulnerability that could lead to cross-site scripting (Firefox and Chrome browsers only) (CVE-2010-2179).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2180).

This update resolves an integer overflow vulnerability that could lead to code execution (CVE-2010-2181).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2182).

This update resolves a integer overflow vulnerability that could lead to code execution (CVE-2010-2183).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2184).

This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-2185).

This update resolves a denial of service vulnerability that can cause the application to crash. Arbitrary code execution has not been demonstrated, but may be possible. (CVE-2010-2186).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2187).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2189).
Note: This issue occurs only on VMWare systems with VMWare Tools enabled.

This update resolves a denial of service issue (CVE-2008-4546).

Adobe recommends users of Adobe Flash Player 10.0.45.2 and earlier versions update to Adobe Flash Player 10.1.53.64. Adobe recommends users of Adobe AIR 1.5.3.9130 and earlier versions update to Adobe AIR 2.0.2.12610.

Affected software

Recommended player update

Availability

Flash Player 10.0.45.2 and earlier

10.1.53.64

Flash Player Download Center

Flash Player 10.0.45.2 and earlier - network distribution

10.1.53.64

Flash Player Licensing

AIR 1.5.3.9130

AIR 2.0.2.12610

AIR Download Center

Flash Professional CS5, Flash CS4 Professional and Flex 4

10.1.53.64

Flash Player Support Center

Flash CS3 Professional and Flex 3

9.0.277.0

Flash Player Support Center

 

Note: The Adobe Flash Player 10.1.53.64 release will be the last version to support Macintosh PowerPC-based G3 computers. Adobe will be discontinuing support of PowerPC-based G3 computers and will no longer provide security updates after the Flash Player 10.1.53.64 release. This unavailability is due to performance enhancements that cannot be supported on the older PowerPC architecture.

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

Revisions

June 25, 2010 - Removed reference to CVE-2010-2188, which was not fully resolved with this update
June 24, 2010 - Updated based on release of Solaris version
June 10, 2010 - Updated Acknowledgments section, adding Lockheed Martin CIRT and Members of the Defense Security Information Exchange.
June 10, 2010 - Bulletin released.