Critical update for Adobe Flash Player

Number: AV09-028
Date: 31 July 2009

Purpose

Adobe has issued updated software that fixes a critical flaw in Adobe Flash Player. These vulnerabilities are currently being exploited through targeted attacks or via drive-by download from compromised legitimate websites.

Assessment

On 23 July 2009, Adobe issued an advisory warning that a critical unpatched vulnerability in Adobe Flash Player was actively being exploited. This vulnerability could cause the application to crash, potentially allowing an attacker to take control of the affected system. Since this vulnerability affects Flash, any software that uses Flash is also vulnerable to this issue.

Affected Adobe software:

Adobe Flash Player 9.0.159.0 and 10.0.22.87 (and earlier 9.x and 10.x versions)
Adobe AIR 1.5.1 (and earlier versions)

Adobe has made updated software available and recommends that users of Adobe Flash update to Adobe Flash Player 9.0.246.0 and 10.0.32.18.  Those users of Adobe AIR should update to Adobe AIR 1.5.2.

Adobe Flash Player version 10.0.32.18 can be obtained from the following download location:
http://get.adobe.com/flashplayer/

For those organizations who cannot update to Adobe Flash Player 10, Adobe has developed a patched version of Adobe Flash Player 9, (Adobe Flash Player 9.0.246.0), which can be obtained from the following location:
http://www.adobe.com/products/flashplayer/fp_distribution3.html.

Adobe AIR version 1.5.2 can be obtained at the following download location:
http://get.adobe.com/air/

Suggested action

These vulnerabilities are currently being exploited on the Internet. CCIRC recommends that administrators prioritize the testing and deployment of updated software at the earliest opportunity.

References:

Adobe Advisory APSB09-10
http://www.adobe.com/support/security/bulletins/apsb09-10.html

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: