Security bulletin

Security Advisory for Flash Player, Adobe Reader and Acrobat

Release date: June 4, 2010

Last updated: June 29, 2010

Vulnerability identifier: APSA10-01

CVE number: CVE-2010-1297

Platform: All

Summary

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.

Adobe has released a product update to Adobe Flash Player to resolve the relevant security issue. For more information, please refer to Security Bulletin APSB10-14.

Adobe has released product updates to Adobe Reader and Acrobat to resolve the relevant security issue. For more information, please refer to Security Bulletin APSB10-15.

Please note that the Acrobat and Reader update represents an accelerated release of the next quarterly security update originally scheduled for July 13, 2010. With this accelerated scheduled we do not plan to release any new updates for Adobe Reader and Acrobat on July 13, 2010.

Affected software versions

Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris

Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX

Note: Adobe Reader and Acrobat 8.x are confirmed not vulnerable.

Severity rating

Adobe categorizes this as a critical issue.

Revisions

June 29, 2010 - Advisory updated with link to Security Bulletin APSB10-15 that resolves the security issue for Adobe Reader and Acrobat.

June 10, 2010 - Advisory updated with link to Security Bulletin APSB10-14 that resolves the security issue for Adobe Flash Player.

June 8, 2010 - Added information to note that the upcoming Adobe Reader and Acrobat update represents the next quarterly security release, originally scheduled for July 13, 2010.

June 7, 2010 - Update schedule information added, and instructions for Macintosh and UNIX added to 'Mitigations' section.

June 4, 2010 - Advisory released.