Accessibility
Adobe
Sign in Privacy My Adobe

Security bulletin

Security update available for Adobe Flash Player

Release date: September 20, 2010

Last updated: October 5, 2010

Vulnerability identifier: APSB10-22

CVE number: CVE-2010-2884

Platform: All Platforms

Summary

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

Adobe recommends users of Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.1.85.3, and users of Adobe Flash Player 10.1.92.10 for Android update to Adobe Flash Player 10.1.95.1. Adobe recommends users of Adobe AIR 2.0.3 and earlier versions update to Adobe AIR 2.0.4.

A fix is available for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh as of Tuesday, October 5, 2010. Please refer to Security Bulletin APSB10-21.

Affected software versions

  • Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.92.10 for Android.
  • Adobe AIR 2.0.3 and earlier versions for Windows, Macintosh and Linux.

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote.

Solution

Adobe Flash Player
Adobe recommends all users of Adobe Flash Player 10.1.82.76 and earlier versions upgrade to the newest version 10.1.85.3 by downloading it from the Adobe Flash Player Download Center or by installing it via the auto-update mechanism within the product when prompted.

Users of Flash Player for Android version 10.1.92.10 and earlier can update to Flash Player version 10.1.95.1 by browsing to the Android Marketplace on an Android phone.

For users who cannot update to Flash Player 10.1.85.3, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.283, which can be downloaded here.

Adobe AIR
Adobe recommends all users of Adobe AIR 2.0.3 and earlier versions update to the newest version 2.0.4 by downloading it from the Adobe AIR Download Center.

Severity rating

Adobe categorizes this as a critical update and recommends affected users update their installations to the newest versions.

Details

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

Adobe recommends users of Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.1.85.3, and users of Adobe Flash Player 10.1.92.10 for Android update to Adobe Flash Player 10.1.95.1. Adobe recommends users of Adobe AIR 2.0.3 and earlier versions update to Adobe AIR 2.0.4.

A fix is available for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh as of Tuesday, October 5, 2010. Please refer to Security Bulletin APSB10-21.

Google Chrome users can update to Chrome 6.0.472.62. To verify your current Chrome version number and update if necessary, follow the instructions here: http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414.

Acknowledgments

Adobe would like to thank Bo Qu of Palo Alto Networks for reporting the relevant issue and for working with Adobe to help protect our customers.

Revisions

October 5, 2010 - Bulletin text updated with information on Adobe Reader, Acrobat and AIR.
September 20, 2010 - Bulletin released.