Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Adobe Flash Player Flaws Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1024685 |
|
SecurityTracker URL: http://securitytracker.com/id/1024685
|
|
CVE Reference:
CVE-2010-3636, CVE-2010-3637, CVE-2010-3638, CVE-2010-3639, CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652
(Links to External Site)
|
Updated: Nov 9 2010
|
Original Entry Date: Nov 5 2010
|
Impact:
Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 10.1.85.3 and prior (10.1.95.2 and prior for Android)
|
Description:
Multiple vulnerabilities were reported in Adobe Flash Player. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can obtain potentially sensitive information. A remote user can cause denial of service conditions.
A remote user can create specially crafted content that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system [CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652]. The code will run with the privileges of the target user.
A remote user can supply specially crafted server encodings to exploit an input validation flaw and bypass cross-domain policy file restrictions [CVE-2010-3636].
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error in an ActiveX control and execute arbitrary code on the target user's system [CVE-2010-3637].
A remote user may be able to obtain potentially sensitive information [CVE-2010-3638]. Apple Safari is affected.
A remote user can cause denial of service conditions that may also allow code execution [CVE-2010-3639]
A user may be able to exploit a library-loading flaw to execute arbitrary code [CVE-2010-3976].
Tokuji Akamine of Symantec Consulting Services Japan, Xiaopeng Zhang of Fortinet's FortiGuard Labs, Erik Osterholm of Texas A&M University, Matthew Scott Bergin of Smash The Stack and Bergin Pen. Testing, Will Dormman of CERT, and Simon Raner of ACROS Security reported these vulnerabilities.
|
Impact:
A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can obtain potentially sensitive information.
A remote user can cause denial of service conditions.
|
Solution:
The vendor has issued a fix (9.0.289.0, 10.1.102.64).
The vendor has issued a fix (10.1.105.6) for Android.
The vendor's advisory is available at:
http://www.adobe.com/support/security/bulletins/apsb10-26.html
|
Vendor URL: www.adobe.com/support/security/bulletins/apsb10-26.html (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Android, Linux (Any), UNIX (OS X), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 05 Nov 2010 13:29:11 +0000
Subject: Adobe Flash Player
|
http://www.adobe.com/support/security/bulletins/apsb10-26.html
CVE-2010-3636, CVE-2010-3637, CVE-2010-3638, CVE-2010-3639, CVE-2010-3640,
CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645,
CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650,
CVE-2010-3652, CVE-2010-3976
|
|
Go to the Top of This SecurityTracker Archive Page
|
