SB2010090101 - openSUSE update for flash-player 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2010090101

SB2010090101 - openSUSE update for flash-player

Published: September 1, 2010

Security Bulletin ID SB2010090101
Severity
Critical
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 13% High 63% Medium 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Memory corruption (CVE-ID: CVE-2010-0209)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote unauthenticated attacker can create a specially crated .swf file, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Code execution (CVE-ID: CVE-2010-1240)

The vulnerability allows a remote attacker to compromise vulnerable system using social engineering attack.

The vulnerability exists due to unspecified error. A remote attacker can use social engineering attack to trick the victim into executing arbitrary code on vulnerable system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


3) Memory corruption (CVE-ID: CVE-2010-2188)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote unauthenticated attacker can create a specially crated .swf file, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


4) Memory corruption (CVE-ID: CVE-2010-2213)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to multiple boundary errors when processing .swf files. A remote unauthenticated attacker can create a specially crated .swf file, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


5) Memory corruption (CVE-ID: CVE-2010-2214)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote unauthenticated attacker can create a specially crated .swf file, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


6) Click-jacking attack (CVE-ID: CVE-2010-2215)

The vulnerability allows a remote attacker to perform click-jacking attacks.

The vulnerability exists due to input validation error when processing untrusted data. A remote unauthenticated attacker can create a specially crated .swf file, trick the victim into opening it and perform click-jacking attack.

Successful exploitation of this vulnerability may allow an attacker to gain access to potentially sensitive date or perform phishing attacks.


7) Memory corruption (CVE-ID: CVE-2010-2216)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote unauthenticated attacker can create a specially crated .swf file, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


8) Integer overflow (CVE-ID: CVE-2010-2862)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in CoolType.dll when processing TrueType fonts with a large maxCompositePoints value in a Maximum Profile (maxp) table within PDF files. A remote attacker can create a specially crafted PDF file, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability is being actively exploited in the wild.



Remediation

Install update from vendor's website.

References