-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2010.0150
             Security update available for Adobe Flash Player
                             12 February 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Flash Player
                   Adobe AIR
Publisher:         Adobe
Operating System:  Windows
                   Mac OS X
                   Linux variants
                   Solaris
Impact/Access:     Denial of Service   -- Remote/Unauthenticated
                   Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2010-0187 CVE-2010-0186 

Original Bulletin: 
   http://www.adobe.com/support/security/bulletins/apsb10-06.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Security update available for Adobe Flash Player

Release date: February 11, 2010

Vulnerability identifier: APSB10-06

CVE number: CVE-2010-0186, CVE-2010-0187

Platform: All Platforms

Summary

A critical vulnerability has been identified in Adobe Flash Player version 
10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) could subvert 
the domain sandbox and make unauthorized cross-domain requests.

Adobe recommends users of Adobe Flash Player 10.0.42.34 and earlier 
versions update to Adobe Flash Player 10.0.45.2. Adobe recommends users 
of Adobe AIR version 1.5.3.1920 and earlier versions update to Adobe 
AIR 1.5.3.1930.

Affected software versions

Adobe Flash Player 10.0.42.34 and earlier versions
Adobe AIR 1.5.3.1920 and earlier versions

To verify the Adobe Flash Player version number installed on your system, 
access the About Flash Player page, or right-click on content running in 
Flash Player and select "About Adobe (or Macromedia) Flash Player" from 
the menu. If you use multiple browsers, perform the check for each browser 
you have installed on your system.

To verify the Adobe AIR version number installed on your system, access the 
Adobe AIR TechNote for instructions.

Solution

Adobe Flash Player

Adobe recommends all users of Adobe Flash Player 10.0.42.34 and earlier 
versions upgrade to the newest version 10.0.45.2 by downloading it from 
the Adobe Flash Player Download Center or by using the auto-update 
mechanism within the product when prompted.

Adobe AIR

Adobe recommends all users of Adobe AIR version 1.5.3.1920 and earlier 
update to the newest version 1.5.3.1930 by downloading it from the 
Adobe AIR Download Center.

Severity rating

Adobe categorizes this as a critical update and recommends affected 
users update their installations to the newest versions.

Details

A critical vulnerability has been identified in Adobe Flash Player 
version 10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) 
could subvert the domain sandbox and make unauthorized cross-domain 
requests. This update also resolves a potential Denial of Service issue 
(CVE-2010-0187).

Adobe recommends users of Adobe Flash Player 10.0.42.34 and earlier 
versions update to Adobe Flash Player 10.0.45.2. Adobe recommends 
users of Adobe AIR version 1.5.3.1920 and earlier versions update to 
Adobe AIR 1.5.3.1930.

Affected software	Recommended player update	Availability

Flash Player 		10.0.45.2			Flash Player 
10.0.42.34 						Download Center
and earlier

Flash Player 		10.0.45.2			Flash Player
10.0.42.34 						Licensing
and earlier - network 
distribution

Flash Player 		10.0.45.2			Flash Player 
10.0.42.34 and 						Download Center
earlier for Linux
	
AIR 1.5.3.1920		AIR 1.5.3.1930			AIR Download Center
	
Flash CS4 Professional	10.0.45.2			Adobe Flash Player 
							10 Update for Flash
							CS4 Professional

Flash CS3 Professional	9.0.262				Flash Debug Player 
							Updater

Flex 3			10.0.45.2			Flash Debug Player 
							Updater

 

Note: The Adobe Flash Player 10.1 release, expected in the first half of 
2010, will be the last version to support Macintosh PowerPC-based G3 
computers. Adobe will be discontinuing support of PowerPC-based G3 
computers and will no longer provide security updates after the Flash 
Player 10.1 release. This unavailability is due to performance 
enhancements that cannot be supported on the older PowerPC architecture.
Acknowledgments

Adobe would like to thank Michael Yong Park for reporting the relevant 
issue (CVE-2010-0186) and for working with Adobe to help protect our 
customers.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFLdLc2/iFOrG6YcBERAhZqAJ4v5CcXTvgXZ/ayFiBTrW0qTgKtiACfet70
s6oKXZ6+FYcRjWOfd5AfFWk=
=Dt2k
-----END PGP SIGNATURE-----