Threat Level: green Handler on Duty: Russ McRee

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adobe flash player and air patched

Published: 2009-12-09
Last Updated: 2009-12-10 00:54:00 UTC
by Swa Frantzen (Version: 4)
2 comment(s)

The almost universally installed flash player of adobe has been update to version 10.0.42.34. Adobe air was upgraded as well to version 1.5.3.

Read more about it in the apsb09-19 bulletin from adobe.

The reason behind it are 7 vulnerabilities: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800 and, CVE-2009-3951 of which 6 lead to arbitrary code execution and the last one is a windows-only issue leading to unauthorized information disclosure, related to CVE-2008-4820.

"Upgrade!" is the loud and clear message should our audience need that encouragement.

At this point we have no guidance for users wishing to know more about version 9 of the flash player aside of considering an upgrade to the latest incarnation of version 10.

Thanks for the heads-up go to David and Andrew.

UPDATE 1:

Martin wrote in with a link to the download page for those with licenses (where you can get e.g. MSI packages) and that states: "As of December 8, 2009, Flash Player 9 is no longer available for distribution. All Licensees should now distribute Flash Player 10". I guess that implies those still holding out on Flash player 9 have but one path forward.

UPDATE 2:

We were informed by a reader that the w removed link to the download page for those with licenses is in fact a secret link. From the email adobe sends to their customers getting this link rightfully:

**********
You may not share the above link, share information with others, or publish the above link on websites, blogs, or by any other means that can be publicly accessed. The information contained on this site is meant for your use only in accordance with Adobe Flash Player Distribution License Agreement you accepted. You may direct others to http://www.adobe.com/products/players/fpsh_distribution1.html to request distribution rights.


Regards,

Adobe Systems Incorporated
***********

We didn't know about it being a secret link. And apologize for unknowingly exposing it.

If anybody knows a non-secret link that clearly states Flash Player 9 is at the end of it's updates, please send it to us as it's the kind of pressure some out there need to get to be allowed to upgrade the software.

UPDATE 3:

Flash player 9 updates for unsupported platforms are available in KB 406791. Note that his is intended for those still using unsupported OSes from their respective vendors such as Windows 98, Windows ME, MacOS X 10.1-10.3, and Red Hat Enterprise Linux 3 and 4 operating systems, who cannot run Flash player 10. Note adobe nowheresaid these were updated to fix the same bugs as those fixed in Flash player 10: use at your own risk.

--
Swa Frantzen -- Section 66

Keywords: adobe flash patches
2 comment(s)
Diary Archives