A vulnerability has been identified in Adobe Flash Player for Linux, which could be exploited by remote attackers to compromise a vulnerable system. This issue is caused due to the application processing via a "system()" call arguments supplied via the "ASnative" function, which could be exploited by attackers to inject arbitrary shell commands by tricking a user into visiting a malicious web page or opening a specially crafted SWF file.

Affected Products

Adobe Flash Player for Linux version 10.0.12.36 and prior
Adobe Flash Player for Linux version 9.0.151.0 and prior

Solution

Upgrade to Flash Player for Linux version 10.0.15.3 :
http://get.adobe.com/flashplayer

Upgrade to Flash Player for Linux version 9.0.152.0 :
http://www.adobe.com/go/kb406791

References

http://www.vupen.com/english/advisories/2008/3449
http://www.adobe.com/support/security/bulletins/apsb08-24.html

In-depth Binary Analysis

Available in customer area as part of VUPEN Binary Analysis & Exploits Service and VUPEN Vulnerability Notification Service Ultimate Feed Edition.
 

Private Exploit or PoC

Available in customer area as part of VUPEN Binary Analysis & Exploits Service and VUPEN Vulnerability Notification Service Ultimate Feed Edition.
 

Credits

Vulnerability reported by the vendor.

Changelog

2008-12-17 : Initial release
2008-12-30 : Updated Description

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.