AusCERT - AA-2008.0213 -- [Win][UNIX/Linux] -- Adobe has released version 10.0.12.36 of Flash Player correcting five potential vulnerabilities

HOME

About AusCERT

Membership

PKI Services

Training

Publications

Sec. Bulletins

Conferences

News & Media

Services

Web Log

Site Map

Site Help

Member login

AA-2008.0213 -- [Win][UNIX/Linux] -- Adobe has released version 10.0.12.36 of Flash Player correcting five potential vulnerabilities

Date: 16 October 2008
References: ESB-2007.1046 ESB-2008.0249 ESB-2008.0310 ESB-2008.0367 ESB-2008.1008 ESB-2008.1028 ESB-2008.1042 ESB-2009.0021

Click here for printable version
Click here for PGP verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
AA-2008.0213                  AUSCERT Advisory

                             [Win][UNIX/Linux]
           Adobe has released version 10.0.12.36 of Flash Player
                 correcting five potential vulnerabilities
                              16 October 2008
- ---------------------------------------------------------------------------

        AusCERT Advisory Summary
        ------------------------

Product:              Adobe Flash Player prior to 10.0.12.36
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Access Confidential Data
                      Provide Misleading Information
                      Inappropriate Access
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-4503 CVE-2008-4401 CVE-2008-3873
                      CVE-2007-6243 CVE-2007-4324
Member content until: Thursday, November 13 2008

Ref:                  ESB-2008.0367
                      ESB-2008.0310
                      ESB-2008.0249
                      ESB-2007.1046

OVERVIEW

	Adobe has released version 10.0.12.36 of Flash Player which
	corrects five (5) potential security vulnerabilities. [1]


IMPACT

	The following issues or vulnerabilities are addressed by this
	update: [1,2]

	CVE-2008-4503:

	This vulnerability involves tricking the user to click a harmless
	section of a flash animation, which then sends the click to a
	potentially unwanted place (such as the users camera and/or
	microphone controls). This is known as "clickjacking".

	CVE-2007-6243:

	The update addresses a potential problem relating to cross domain
	policy where attackers may be able to obtain information they
	should not be able to.

	CVE-2007-4324:

	The update addresses a port scanning issue in previous versions
	of Flash Player.

	CVE-2008-3873:

	This vulnerability would allow an attacker to gain access to
	clipboard data that they should not be able to access.

	CVE-2008-4401:

	The update addresses a potential security problem to do with
	uploading and downloading files. Previously this could be done
	using any under interaction. This has now been locked down to
	specific file related interactions.


MITIGATION

        Upgrade to Flash Player version 10.0.12.36 or later. [3]


REFERENCES

        [1] Flash Player update available to address security vulnerabilities
            http://www.adobe.com/support/security/bulletins/apsb08-18.html

        [2] Understanding the security changes in Flash Player 10
            http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html

        [3] Download the free Flash Player now!
            http://www.adobe.com/go/getflashplayer

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSPbGiCh9+71yA2DNAQL6ygP9G7qOFKc2yRpoTxXahf52mxi5c0UkqOSt
exiPOqBKWdvh4nRgXca1Z39L7sI9Yudm5zPvQ20kVMiOSFr5+i/IFxpn8Z/HM8gx
WrDlODRidyUV9z16PLP+OczdN0UvsMe0+mgBKJpnGMVBgP7JX4wzx+wrzpiumY0b
FyUNCce4zxE=
=iKlc
-----END PGP SIGNATURE-----