openSUSE update for flash-player
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 15 |
| CVE-ID | CVE-2010-0190 CVE-2010-0191 CVE-2010-0192 CVE-2010-0193 CVE-2010-0194 CVE-2010-0195 CVE-2010-0196 CVE-2010-0197 CVE-2010-0198 CVE-2010-0199 CVE-2010-0201 CVE-2010-0202 CVE-2010-0203 CVE-2010-0204 CVE-2010-1241 |
| CWE-ID | CWE-79 CWE-20 CWE-119 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #15 is being exploited in the wild. |
| Vulnerable software Subscribe |
Adobe Acrobat Client/Desktop applications / Office applications Adobe Reader Client/Desktop applications / Office applications |
| Vendor | Adobe |
Security Bulletin
This security bulletin contains information about 15 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU4602
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-0190
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionVulnerability allows a remote authenticated attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X. A remote attacker can trick the victim to open a specially specially crafted PDF file and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Mitigation
Update the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU4603
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-0191
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to input validation error when handling protocol URIs. A remote attacker can create a specially crafted shortcut, trick the victim into clicking it and execute arbitrary commands on the target system with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
MitigationUpdate the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU4604
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-0192
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to input validation error when processing PDF files in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X. A remote attacker can create a specially specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability will result in system compromise.
Update the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU4606
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-0193
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to input validation error when processing PDF files in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X. A remote attacker can create a specially specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability will result in system compromise.
Update the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU4607
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-0194
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to input validation error when processing PDF files in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X. A remote attacker can create a specially specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability will result in system compromise.
Update the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Memory corruption
EUVDB-ID: #VU4611
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-0195
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to boundary error when processing fonts within PDF files. A remote attacker can create a specially specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability will result in system compromise.
Update the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU4612
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-0196
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to input validation error when processing PDF files in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X. A remote attacker can create a specially specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability will result in system compromise.
Update the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Input validation error
EUVDB-ID: #VU4613
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-0197
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to input validation error when processing PDF files in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X. A remote attacker can create a specially specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability will result in system compromise.
Update the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Buffer overflow
EUVDB-ID: #VU4614
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-0198
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to boundary error when processing PDF files in Adobe Reader and Acrobat. A remote attacker can create a specially specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability will result in system compromise.Mitigation
Update the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Buffer overflow
EUVDB-ID: #VU4615
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-0199
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to boundary error when processing PDF files in Adobe Reader and Acrobat. A remote attacker can create a specially specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability will result in system compromise.Mitigation
Update the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Input validation error
EUVDB-ID: #VU4616
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-0201
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to input validation error when processing PDF files in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X. A remote attacker can create a specially specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability will result in system compromise.
Update the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Input validation error
EUVDB-ID: #VU4617
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-0202
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to input validation error when processing PDF files in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X. A remote attacker can create a specially specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability will result in system compromise.
Update the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Input validation error
EUVDB-ID: #VU4618
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-0203
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to input validation error when processing PDF files in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X. A remote attacker can create a specially specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability will result in system compromise.
Update the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Input validation error
EUVDB-ID: #VU4619
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-0204
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to input validation error when processing PDF files in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X. A remote attacker can create a specially specially crafted PDF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability will result in system compromise.
Update the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Heap-based buffer overflow
EUVDB-ID: #VU4620
Risk: Critical
CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2010-1241
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in the custom heap management system in Adobe Reader and Acrobat. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Mitigation
Update the affected packages.
Adobe Acrobat: 8.0 - 9.3.1
Adobe Reader: 8.0 - 9.3.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00004.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
