GLSA-200908-04 : Adobe products: Multiple vulnerabilities

high Nessus Plugin ID 40520
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 9.2

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200908-04 (Adobe products: Multiple vulnerabilities)

Multiple vulnerabilities have been reported in Adobe Flash Player:
lakehu of Tencent Security Center reported an unspecified memory corruption vulnerability (CVE-2009-1862).
Mike Wroe reported an unspecified vulnerability, related to 'privilege escalation' (CVE-2009-1863).
An anonymous researcher through iDefense reported an unspecified heap-based buffer overflow (CVE-2009-1864).
Chen Chen of Venustech reported an unspecified 'NULL pointer vulnerability' (CVE-2009-1865).
Chen Chen of Venustech reported an unspecified stack-based buffer overflow (CVE-2009-1866).
Joran Benker reported that Adobe Flash Player facilitates 'clickjacking' attacks (CVE-2009-1867).
Jun Mao of iDefense reported a heap-based buffer overflow, related to URL parsing (CVE-2009-1868).
Roee Hay of IBM Rational Application Security reported an unspecified integer overflow (CVE-2009-1869).
Gareth Heyes and Microsoft Vulnerability Research reported that the sandbox in Adobe Flash Player allows for information disclosure, when 'SWFs are saved to the hard drive' (CVE-2009-1870).
Impact :

A remote attacker could entice a user to open a specially crafted PDF file or website containing Adobe Flash (SWF) contents, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service (application crash). Furthermore, a remote attacker could trick a user into clicking a button on a dialog by supplying a specially crafted SWF file and disclose sensitive information by exploiting a sandbox issue.
Workaround :

There is no known workaround at this time.

Solution

All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-plugins/adobe-flash-10.0.32.18' All Adobe Reader users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=app-text/acroread-9.1.3'

See Also

https://security.gentoo.org/glsa/200908-04

Plugin Details

Severity: High

ID: 40520

File Name: gentoo_GLSA-200908-04.nasl

Version: 1.25

Type: local

Published: 8/10/2009

Updated: 1/6/2021

Dependencies: ssh_get_info.nasl

Risk Information

Risk Factor: High

VPR Score: 9.2

CVSS v2.0

Base Score: 9.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:acroread, p-cpe:/a:gentoo:linux:adobe-flash, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/7/2009

Exploitable With

CANVAS (CANVAS)

Core Impact

Reference Information

CVE: CVE-2009-1862, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870

GLSA: 200908-04

CWE: 59, 94, 119, 189, 200, 264