Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Apple Issues Fix) Adobe Flash Player Flaws Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1027062 |
|
SecurityTracker URL: http://securitytracker.com/id/1027062
|
|
CVE Reference:
CVE-2010-3636, CVE-2010-3637, CVE-2010-3638, CVE-2010-3639, CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652
(Links to External Site)
|
Date: May 14 2012
|
Impact:
Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 10.1.85.3 and prior (10.1.95.2 and prior for Android)
|
Description:
Multiple vulnerabilities were reported in Adobe Flash Player. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can obtain potentially sensitive information. A remote user can cause denial of service conditions.
A remote user can create specially crafted content that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system [CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652]. The code will run with the privileges of the target user.
A remote user can supply specially crafted server encodings to exploit an input validation flaw and bypass cross-domain policy file restrictions [CVE-2010-3636].
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error in an ActiveX control and execute arbitrary code on the target user's system [CVE-2010-3637].
A remote user may be able to obtain potentially sensitive information [CVE-2010-3638]. Apple Safari is affected.
A remote user can cause denial of service conditions that may also allow code execution [CVE-2010-3639]
A user may be able to exploit a library-loading flaw to execute arbitrary code [CVE-2010-3976].
Tokuji Akamine of Symantec Consulting Services Japan, Xiaopeng Zhang of Fortinet's FortiGuard Labs, Erik Osterholm of Texas A&M University, Matthew Scott Bergin of Smash The Stack and Bergin Pen. Testing, Will Dormman of CERT, and Simon Raner of ACROS Security reported these vulnerabilities.
|
Impact:
A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can obtain potentially sensitive information.
A remote user can cause denial of service conditions.
|
Solution:
Apple has issued a security update to disable Adobe Flash Player versions older than 10.1.102.64.
Leopard Security Update 2012-003 is availble via the Software Update pane in System Preferences, or Apple's Software Downloads web site at:
http://www.apple.com/support/downloads/
The download file is named: SecUpd2012-003.dmg
Its SHA-1 digest is: dc0b70cdcc896838fca9bf7ea4b867ec3cca48d4
The vendor's advisory will be available at:
http://support.apple.com/kb/HT1222
|
Vendor URL: www.adobe.com/support/security/bulletins/apsb10-26.html (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
UNIX (OS X)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 14 May 2012 21:18:46 +0000
Subject: Apple OS X
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-05-14-2 Leopard Security Update 2012-003
Leopard Security Update 2012-003 is now available and addresses the
following:
Internet plug-ins
Available for: Mac OS X v10.5 to 10.5.8 Intel
Impact: Out-of-date versions of Adobe Flash Player are disabled
Description: This update disables Adobe Flash Player if it is older
than 10.1.102.64 by moving its files to a new directory. This update
presents the option to install an updated version of Flash Player
from the Adobe website.
Leopard Security Update 2012-003 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The download file is named: SecUpd2012-003.dmg
Its SHA-1 digest is: dc0b70cdcc896838fca9bf7ea4b867ec3cca48d4
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJPsURPAAoJEPefwLHPlZEwAZAP/2UX9ANZlNGX06Epxno5onsv
ORk3fi2LlQVP5Bb8yqzeIPJVvUI1iUduy/LzYEhSrfzim+Jm/gY7zEENvaLaYkln
UX4eqc8nx9vk7SAt6NciLwMmzzb7w+WJcRx71bSONOdwAoAsf44wJqe09cwtftri
HkJuc9MFupieSHBOh7Ba/Zx+QqygoR7R3OS1JZQP9W3TVv9VHoWSiNJyNSOuUJHz
Vu1HxFvNulTxO6xyi0zcDLw+iop/U3lt+gDzltlgaVJksmABYkrw7Gz4LTfz8xGE
7yVhtIJlAaihLSfCF5nkvoZ4cBBQunfWbTwr46N/uujLhBuhohKUG9kdis9uNYzp
sLt2r2EKSzGPo/IlidcQgoHerg1pzDrFl4lxJKtoaEDhaX/bOA3Y7O7tBbZom85e
Owcnjj6Pl71BpELIvya86TSoChWcbU2vraG5/g5qDjB/rcem0rgKZZX4qJXNSX2e
feGVZXcMqguNM6yFav4B0NwRcL6OeZylCX8yq9fXGXyo2flNu401hlC6vPrEJxvL
sR/u8X43avJ8eL+v6bwd+kWCnibXzVlSfBAG1B2gbAQrVHBiH6uCx25/OtanNK3H
iPkSsXHzaWOyUz2ZiAkBe3PgbXZJ7prdMz1I2goVhk978aCjKlBRUhLqdvDxaCaE
96aCRFFWdKNzljJAmf5T
=UYJE
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce@lists.apple.com)
|
|
Go to the Top of This SecurityTracker Archive Page
|
