Adobe Flash Player Multiple Vulnerabilities

Secunia ID	SA35948
CVE-ID	CVE-2009-0901, CVE-2009-1862, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870, CVE-2009-2395, CVE-2009-2493
Release Date	23 Jul 2009
Last Change	10 Aug 2009
Criticality	Highly Critical Typically used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction but there are no known exploits available at the time of disclosure. Such vulnerabilities can exist in services like FTP, HTTP, and SMTP or in client systems like email programs or browsers.
Solution Status	Vendor Patch
Software	Adobe AIR 1.x Adobe Flash Player 10.x Adobe Flash Player 9.x
Where	From remote "From remote" describes other vulnerabilities where the attack vector doesn't require access to the system or a local network. This category covers services that are acceptable to expose to the Internet (e.g. HTTP, HTTPS, SMTP). It also covers client applications used on the Internet and certain vulnerabilities where it is reasonable to assume that a security conscious user can be tricked into performing certain actions.
Impact	System access This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user. Exposure of sensitive information Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote. Security Bypass This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application. The actual impact varies significantly depending on the design and purpose of the affected application.
Description	Some vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to bypass security features, gain knowledge of sensitive information, or compromise a user's system. 1) An unspecified error can be exploited to corrupt memory and execute arbitrary code via specially crafted SWF content. 2) The control has been built using a vulnerable version of ATL, which may be exploited to disclose memory content, bypass security features like kill-bits, and corrupt memory to execute arbitrary code when used in Internet Explorer. For more information: SA35967 3) An unspecified error can be exploited to gain escalated privileges. 4) A use-after-free error when parsing Shockwave Flash files may cause references to remain pointing to a deleted object, which can be exploited to corrupt memory. 5) An unspecified error may lead to a "null pointer vulnerability". 6) An unspecified error may lead to a "stack overflow vulnerability". 7) A click-jacking error can be exploited to trick a user into unknowingly click a link or dialog. 8) An error in the parsing of URLs can be exploited to cause a heap-based buffer overflow. 9) An integer overflow error in the AVM2 abcFile parser when handling the "intrf_count" value of the "instance_info" structure can be exploited to corrupt memory and execute arbitrary code. 10) An error in the local sandbox can be exploited to gain knowledge of sensitive information when a SWF is saved to the hard drive.
Solution	Update to Flash Player 9.0.246.0 or 10.0.32.18 and Adobe AIR version 1.5.2. Flash Player version 10.0.32.18: http://www.adobe.com/go/getflashplayer Flash Player version 9.0.246.0: http://www.adobe.com/support/flashplayer/downloads.html#fp9 Adobe AIR version 1.5.2. http://get.adobe.com/air
Reported by	1) Reported as a 0-day (the vendor also credits lakehu, Tencent Security Center). 2) David Dewey of IBM ISS X-Force, Ryan Smith of iDefense Labs, and Microsoft Vulnerability Research Program. 3) The vendor credits Mike Wroe. 4) Reported by an anonymous person via iDefense. 5,6) The vendor credits Chen Chen, Venustech. 7) The vendor credits Joran Benker. 8) Jun Mao, iDefense Labs. 9) Roee Hay, IBM Rational Application Security. 10) The vendor credits Microsoft Vulnerability Research Program (MSVR).
Original Advisory	Adobe: http://www.adobe.com/support/security/advisories/apsa09-03.html http://www.adobe.com/support/security/advisories/apsa09-04.html http://www.adobe.com/support/security/bulletins/apsb09-10.html Roee Hay: http://roeehay.blogspot.com/2009/07/adobe-flash-player-integer-overflow.html http://roeehay.blogspot.com/2009/08/advisory-adobe-flash-player-avm2.html http://roeehay.blogspot.com/2009/08/exploitation-of-cve-2009-1869.html iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=816 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=818