Vulnerability identifier: #VU1427

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2009-1867

CWE-ID: CWE-59

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Adobe AIR
Client/Desktop applications / Multimedia software
Adobe Flash Player
Client/Desktop applications / Plugins for browsers, ActiveX components

Vendor: Adobe

Description
The vulnerability allows a remote attacker to hijack the clicking action of the victim.

The vulnerability exists in IBM Security Identity Manager Virtual Appliance. A remote attacker can hijack the target user's mouse clicks and take actions on the site acting as the target user by tricking the victim into visiting a malicious web site.

Successful exploitation of this vulnerability may result in disclosure of user information.

Mitigation
Update Adobe Flash Player 9.x and earlier to version 9.0.246.0:
http://www.adobe.com/support/flashplayer/downloads.html#fp9
Update Adobe Flash Player 10.x to version 10.0.32.18:
http://www.adobe.com/go/getflashplayer
Update Adobe Air to version 1.5.2.
http://get.adobe.com/air/

Vulnerable software versions

Adobe AIR: 1.0 - 1.5.2

Adobe Flash Player: 9.0.124.0 - 10.0.32.18

---

External links
http://www.adobe.com/support/security/bulletins/apsb09-10.html

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.