Note: This is an archival copy of Security Sun Alert 254909 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020254.1.
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
Multiple Security Vulnerabilities in the Adobe Flash Player for Solaris 10 (Adobe Security Bulletin APSB09-01)
Multiple security vulnerabilities in Adobe Flash Player distributed with Solaris may allow a remote unprivileged user to execute arbitrary commands with the privileges of a local user on the system, or cause the web browser to crash if a malicious Shockwave Flash (SWF) file is loaded with the affected plugin. Being able to crash a web browser is a type of Denial of Service (DoS).
In addition, a 'clickjacking' vulnerability in the Adobe Flash Player Settings Manager may allow a remote user to obtain sensitive information or execute arbitrary code on the system if a local user clicks on misleading Adobe Flash Player dialogues.
These issues are described in the following documents:
Adobe Security Bulletin ABSP09-01 at http://www.adobe.com/support/security/bulletins/apsb09-01.html
CVE-2009-0519 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0519
CVE-2009-0520 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0520
CVE-2009-0114 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0114
2. Contributing Factors
These issues can occur in the following releases:
1. These issues can occur in Adobe Flash Player version 9.0 r151 and earlier for Solaris 10.
2. Solaris 8 and Solaris 9 are not affected by these issues.
OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. The base build can be derived as follows:
$ uname -aThe Adobe Flash Player shipped with Solaris is a web browser plugin, meaning that the web browser should be used to determine the version of the Flash Player in use. For example, when using the Mozilla Browser, visit the following URL:
and search for the Flash Player in the list of plugins.
There are no predictable symptoms that would indicate the described issues have been exploited.
To avoid these issues until patches become available, Adobe Flash Player can be removed from the system by using the pkgrm(1) utility to remove the SUNW-flash-player-plugin package.
These issues are addressed in the following releases:
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
06-Apr-2009: Updated Contributing Factors and Resolution sections; issue Resolved
This solution has no attachment