Public Safety Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links | Liens de navigation communs

Skip Navigation Links Home > Programs > Emergency management > Response > CCIRC > Analytical releases 2010 > AV10-007: Multiple Vulnerabilities in Adobe Reader, Acrobat, Flash Player and Air

Institutional links

Multiple Vulnerabilities in Adobe Reader, Acrobat, Flash Player and Air

Number: AV10-007
Date: 16 February 2010

Purpose

The purpose of this advisory is to bring attention to multiple vulnerabilities in Adobe Reader, Acrobat, Flash Player and Air.

Assessment

A critical vulnerability has been identified in the Adobe Flash Player and Adobe Air that could subvert the domain sandbox and make unauthorized cross-domain requests.

Affected software versions:

  • Adobe Flash Player 10.0.42.34 and earlier
  • Adobe AIR version 1.5.3.9120 and earlier

Adobe recommends the following actions:

  • Upgrade to Adobe Flash Player 10.0.45.2
  • Upgrade to Adobe AIR 1.5.3.9130.

A critical vulnerability has been identified in Adobe Reader and Adobe Acrobat. As described in Security Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Affected versions:

  • Adobe Reader 9.3 for Windows, Macintosh and UNIX
  • Adobe Acrobat 9.3 for Windows and Macintosh
  • Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh.

Adobe recommends the following actions:

  • Update to Adobe Reader 9.3.1.
    Note: For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3.1, Adobe has provided the Adobe Reader 8.2.1 update.
  • If using Acrobat 9.3 and earlier, update to Adobe Acrobat 9.3.1.
  • If using Acrobat 8.2 and earlier, update to Acrobat 8.2.1.

CVE reference:
CVE-2010-0186, CVE-2010-0187, CVE-2010-0188

Suggested Action

CCIRC recommends that administrators identify affected products, test and deploy these updates according to their Release Management practices at the earliest opportunity.

References:
http://www.adobe.com/support/security/bulletins/apsb10-06.html
http://www.adobe.com/support/security/bulletins/apsb10-07.html

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2010-02-16
Top of Page
Top of Page
Important Notices