Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                    ESB-2007.1046 -- [Win][UNIX/Linux]
          Adobe Flash Player Updates for Multiple Vulnerabilities
                             24 December 2007


        AusCERT Security Bulletin Summary

Product:              Adobe Flash Player and earlier
                      Adobe Flash Player and earlier
                      Adobe Flash Player and earlier
Publisher:            US-CERT
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact:               Execute Arbitrary Code/Commands
                      Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-4324 CVE-2007-6242 CVE-2007-4768
                      CVE-2007-5275 CVE-2007-6243 CVE-2007-6244
                      CVE-2007-6245 CVE-2007-6246 CVE-2007-5476

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

	   National Cyber Alert System
   Technical Cyber Security Alert TA07-355A

Adobe Updates for Multiple Vulnerabilities

   Original release date: December 21, 2007
   Last revised: --
   Source: US-CERT

Systems Affected

     * Adobe Flash Player and earlier
     * Adobe Flash Player and earlier
     * Adobe Flash Player and earlier


   Adobe has released Security bulletin APSB07-20 to address multiple
   vulnerabilities affecting Adobe Flash Player. Attackers could exploit
   these vulnerabilities to execute arbitrary code, perform DNS rebinding
   and cross-site scripting attacks, conduct port scans, or cause a
   denial of service.

I. Description

   Adobe Security Update APSB07-20 addresses a number of vulnerabilities
   affecting Adobe Flash and earlier, and earlier and
   7.0.70 and earlier. Further details are available in the related
   vulnerability notes.

   An attacker could exploit these vulnerabilities by convincing a user
   to load a specially crafted Flash file. Flash content is widely
   deployed on the internet. An attacker could distribute Flash files
   using web sites that allow user-supplied content, like popular social
   networking sites.

II. Impact

   The impacts of these vulnerabilities vary. An attacker may be able to
   execute arbitrary code, perform DNS rebinding or cross-site scripting
   attacks, conduct port scans, or cause a denial of service.

III. Solution

Upgrade Flash Player

   Upgrade Flash Player according to the information in Adobe Security
   bulletin APSB97-20. For the port scanning issue (CVE-2007-4324),
   consider ActionScript network socket functionality per TechNote

   Adobe provides a way to determine which version of Flash Player is
   installed and a way to configure notifications of updates.

IV. References

    * Vulnerability notes for Adobe Security Update APSB07-20 -
    * Adobe Security Bulletin APSB07-20 - <http://www.adobe.com/support/security/bulletins/apsb07-20.html>
    * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/>

   The most recent version of this document can be found at:


   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA07-355A Feedback VU#758769" in the

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

   Produced 2007 by US-CERT, a government organization.

   Terms of use:


Revision History

   December 21, 2007: Initial release
Version: GnuPG v1.2.1 (GNU/Linux)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967