Release date: September 13, 2010
Vulnerability identifier: APSA10-03
CVE number: CVE-2010-2884
Platform: All
SUMMARY
A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.
We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.
AFFECTED SOFTWARE VERSIONS
Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android
Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh
SEVERITY RATING
Adobe categorizes this as a critical issue.
DETAILS
A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.
We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.
Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.
Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed
here: http://blogs.adobe.com/psirt/atom.xml
MacDailyNews Take: Besides peddling bloated, insecure, outmoded crapware, you’re doing a heckuva job, Adobe!
Hahahahahahahaha .. I’m happy Flash isn’t on my iProds!
Eek. Sooooo glad flash isn’t on my iPad or iPhone!
Adobe: we make the most effective global attack vector the world has ever known, and we’d have 100% coverage if it weren’t for that meddling Jobs.
I love Click2flash!
Why do they expect it to take so long to have a fix in place? Seriously. With all of the resources they have at their disposal.
wow do you guys (and possibly girls) realize that if this were being exploited in the wild on the mac it would be the second virus for mac os 10 ever (not counting proof of concept programs). the first one was back in 2006 (it could only spread over lans).
And I am sooo glad there is no flash on ios
>Why do they expect it to take so long to have a fix in place? Seriously. With all of the resources they have at their disposal.
Very busy peddling flash on the Android platform. Priorities man…priorities!!!
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
That’s ClickToFlash and, yeah, it’s indispensable.
Oh the humanity! Oh wait… I’m on an iPad.
Carry on!
about a month ago I just took the flash plugin and trashed it.(I have ClickToFlash now but I don’t think the flash works, I just got tired of safari telling me I needed to update flash every time I visited macrumers.com)
The fix is two weeks away? But since it’s a “zero day” vulnerability, that has been in “earlier versions for Windows and Macintosh,” that probably means hackers have been stealthily exploiting it for months, maybe years. So what’s another two weeks…?
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
“Adobe recommends that users follow security best practices” by recommending people stop using Adobe Flash Player and Acrobat Reader products.
” width=”19″ height=”19″ alt=”raspberry” style=”border:0;” />
Not a bad idea.
Apple also has zero-day vulnerabilities… just look at the 4.02 iOS patch. MDN should know better before posting those stupid comments…
Ah I see. Now I know why you didn’t run a story on Apple allowing Adobe Flash developers to make apps. You’re Adobe haters. Look I love Apple too MDN but they are not Gods. Give me the name of another desktop/web publishing suit like Adobes (not better or worse, just another one) and I’ll go check it out.
Help i have been trying to download the latest version of adobe flash player. i want to watch videos in you tube. i have windows vista home entertainment. i have downloaded twice but i cant get it to work.
http://noxedgewarning.com/
@geo
Totally agree. For a group so superciliously superior toward anything non-apple MDN sure spends a lot of time dumping on them. The only bloated thing is MDN’s egos. I’m a big apple guy too – 2 iMacs 2 mbps, ip3g, ip4, and iPods out the ying yang but I am so tired of the childish rants of MDN.
Flash is the new IE. Tired of messing with it, I got ClicktoFlash to work with Safari 5, I’m blocking it on all my machines.
I click to flash. You should too.
Is this the flaw that Microsoft itself put out a patch for?
@Stephen
“wow do you guys (and possibly girls) realize that if this were being exploited in the wild on the mac it would be the second virus for mac os 10 ever”
This is NOT A VIRUS. It is flawed POS software.
More news from Adobe: “We might of been wrong, the crashing and slowing down of your computer just might be flash itself. Were not entirely sure yet.”
Heck, at least Microsoft keeps the vulnerabilities relegated to Windows.
@ Stephen
FUD – Name one virus that Mac OS X users have ever had to worry about. Trojan Horse Malware is not the same thing as a Virus.
” Adobe Flash Player 10.1.92.10 for Android”
There is NO WAY that this story can be true. We all know that if you are small enough (safety by obscurity) that no viruses etc will attack you. Android mobile flash player only works on a tiny tiny number of phones, so there….. fake article…… not true…:-(
Honest, Steve Ballmer told me that if your small NO ONE ever attacks you….. to my face…..
” width=”19″ height=”19″ alt=”grin” style=”border:0;” /> LOL
Just a thought here.
en