NICK ADSL UK
Premium,MVM
join:2004-02-22
| Flash Player update available to address security vulnerabil
Flash Player update available to address security vulnerabilities
Release date: December 18, 2007
Vulnerability identifier: APSB07-20
CVE number: CVE-2007-6242, CVE-2007- 4768, CVE-2007-5275, CVE-2007- 6243, CVE-2007- 6244, CVE-2007- 6245, CVE-2007-4324, CVE-2007- 6246, CVE-2007-5476
Platform: All platforms
Affected software versions: Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier.
SummaryCritical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform.
Affected software versionsAdobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier.
To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
SolutionAdobe recommends all users of Adobe Flash Player 9.0.48.0 and earlier versions upgrade to the newest version 9.0.115.0 (Win, Mac, Linux), by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.
Adobe will be providing an update to Adobe Flash Player 9.0.47.0 for Solaris at a later date. Customers can download and install the Flash Player public beta, which addresses these vulnerabilities, from the Adobe Labs site in the meantime.
For customers who cannot upgrade to Adobe Flash Player 9, Adobe has developed a patched version of Flash Player 7. Please refer to the Flash Player update TechNote.
Severity ratingAdobe categorizes this as a critical update and recommends affected users upgrade to version 9.0.115.0 (Win, Mac, Linux).
DetailsMultiple input validation errors have been identified in Flash Player 9.0.48.0 and earlier versions that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2007- 4768, CVE-2007-6242)
This update introduces functionality to mitigate a potential issue could potentially aid an attacker in executing a DNS rebinding attack. For more information, see the following Adobe Developer Center article. (CVE-2007-5275)
This update introduces a new, stricter method for Flash Player to interpret cross-domain policy files. These changes could help prevent privilege escalation attacks against web servers hosting Flash content and cross-domain policy files. For more information, see the following Adobe Developer Center article. (CVE-2007- 6243)
This update restricts the unsupported asfunction: protocol to address potential cross-site scripting issues with some SWF files. This issue is specific to Flash Player 8 and Flash Player 9 and does not affect Flash Player 7. (CVE-2007-6244)
This update makes changes to the navigateToURL function to prevent potential Universal Cross-Site Scripting attacks. This issue is specific to the Flash Player ActiveX Control and the Internet Explorer Browser. (CVE-2007-6244)
This update resolves an issue that could allow remote attackers to modify HTTP headers of client requests and conduct HTTP Request Splitting attacks. (CVE-2007-6245)
This update introduces functionality to mitigate a potential port-scanning issue. For more information, see the following Knowledgebase Article. (CVE-2007-4324)
The Linux update for Flash Player addresses a memory permissions issue that could lead to privilege escalation. (CVE-2007-6246)
The Mac update for Flash Player addresses the issue with Flash Player originally reported by Opera and described in Security Advisory APSA07-05. (CVE-2007-5476)
»www.adobe.com/support/security/b···-20.html
download
»www.adobe.com/shockwave/download···aveFlash
--
Wilders Security Forum Admin
Microsoft MVP-Windows Security
|
|
NICK ADSL UK
Premium,MVM
join:2004-02-22
edit:
December 19th, @07:26AM
| With regards the above update please do make sure you are using the latest build. You can check that here. Also please note that this update was posted originally on the 3rd of December as to what has been updated remains unclear at this time as the build remains the same. None the less it is important to make sure you have this latest build
»www.adobe.com/products/flash/about/ |
|
pangu
@anonymouse.org
| reply to NICK ADSL UK
The Linux update for Flash Player addresses a memory permissions issue that could lead to privilege escalation. (CVE-2007-6246) 
»www.adobe.com/support/security/b···-20.html |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
Erie, PA
 ·Verizon Online DSL
| reply to NICK ADSL UK
Thanks.
The Flash Player Uninstaller is available from here:
»www.adobe.com/shockwave/download/alternates/
Users should also check their Flash Player Security settings after updating.
Flash Player Security Panel
--
"It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts." - Sherlock Holmes |
|
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH | reply to NICK ADSL UK
Thanks Guys got it.  |
|
SUMware
Premium
join:2002-05-21 | reply to NICK ADSL UK
Looks like this is the same version that was released on Dec. 3. |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX | reply to NICK ADSL UK
Thanks for the info. |
|
delta7000
Premium
join:2003-10-13
Buffalo, NY
| reply to NICK ADSL UK
If I'm reading the info posted by Nick correctly these are the only versions affected:
Affected software versions: Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier.
If you updated on Dec 3rd to the latest version you don't need to add this. |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to NICK ADSL UK
»secunia.com/advisories/28161/
---------------------------
The vulnerabilities are reported in versions prior to 9.0.115.0.
Solution:
Update to version 9.0.115.0.
--------------------------- |
|
Vista RTM
join:2006-09-13
ChilliwackBC | reply to NICK ADSL UK
Why dont they say all the darn versions are vulnerable?
Every version they ever had gets toasted, cant they get it right?  |
|
MarkAW
Call me lil bratt
Premium
join:2001-08-27
Canada
·Bell Sympatico
| reply to delta7000
said by delta7000  :If I'm reading the info posted by Nick correctly these are the only versions affected: Affected software versions: Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier. If you updated on Dec 3rd to the latest version you don't need to add this. That's what i was thinking as well,because i have had this update since December 4th 2007. So what are they trying to say that the 9.0.115.0 is vulnerable as well or what?
--
Advertising is legalized lying. - H.G. Wells
Pleasure in the job puts perfection in the work. - Aristotle |
|
AB
Premium
join:2006-04-04
Leesburg, VA
edit:
December 20th, @12:46AM
| said by MarkAW :. . are they trying to say that the 9.0.115.0 is vulnerable as well or what? The Securia info I posted 2 posts above yours is dated the 19th of December, 2007, fwiw.
*Edit- Also, quoted from Nick's Original Post:
"Severity ratingAdobe categorizes this as a critical update and recommends affected users upgrade to version 9.0.115.0 (Win, Mac, Linux)." |
|
noway1
join:2004-11-29 | reply to NICK ADSL UK
Managed to get the Adobe Acrobat reader crapware off this computer by substituting PDF-XChange PDF Viewer. Anyone heard of any way to substitute something for the Adobe Flash crapware? (Sick of regular vulnerabilities requiring regular upgrades). |
|
MarkAW
Call me lil bratt
Premium
join:2001-08-27
Canada
·Bell Sympatico
edit:
December 20th, @01:00AM
| reply to AB
AB thanks i saw your post and i was at the securia website earlier today using their scanner and wasn't warned about my Adobe Flash Player being out dated, plus i knew i had the latest version installed like i said since Dec 4th (15 days before this Adobe warning was posted). I guess what i am trying to say is why are they now posting this warning when people were asked to update to 9.0.115.0 15 days ago.
»[Update] Adobe Flash Player 9.0.115.0
--
Advertising is legalized lying. - H.G. Wells
Pleasure in the job puts perfection in the work. - Aristotle |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| said by MarkAW :. . I guess what i am trying to say is why are they now posting this warning when people were asked to update to 9.0.115.0 15 days ago. I think it's unlikely that the vast majority update their Flash player within two or three weeks of a new version coming out, don't you? 
Half the computers in this world that have Flash probably still have a 6.x or 7.x version on them. |
|
MarkAW
Call me lil bratt
Premium
join:2001-08-27
Canada | Yeah i guess your right.
Thanks. |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to noway1
said by noway1 :. . Anyone heard of any way to substitute something for the Adobe Flash crapware? (Sick of regular vulnerabilities requiring regular upgrades). Microsoft Corp. now makes a competing crapware-- 'SilverLight' (or 'SilverNight', as Giorgio Maone, developer of the 'NoScript' extension for Firefox refers to it).
Whether or not it simply competes, or was designed as replacement crapware, I couldn't tell you off-hand. |
|
redwolfe_98
join:2001-06-11
 ·RoadRunner Cable
| reply to NICK ADSL UK
thanks for posting the notice, nick, about the flash player security vulnerability.. i didn't install the new flash player, before, because there was no information saying that the update was needed and, also, i looked in the adobe forums and some people were having problems with the new update, so i passed on it.. however, when the update is necessary, in order to address security vulnerabilities, then i update.. |
|
mouse
Premium
join:2007-03-29
australia
·OptusNet
| reply to NICK ADSL UK
I did a security check via secunia and noticed that I had two versions of flashplayer installed. Adobe Flash and Macromedia Flash - these were listed individually with the recommendation to upgrade as per advice in this thread. I looked for detailed instructions on the adobe site but did not find anything. I then uninstalled via add/remove the only apparent version of the Adobe flashplayer and reinstalled the latest version 9.0.115.0.
Redoing the secunia scan, this is now shown as secure/correct version but I am still shown the additional version of Macromedia Flash Player 6.084.0. How can I get rid of this? I tried the uninstall mentioned somewhere earlier in this thread but this only took care of the new version? |
|
Cudni
La Merma - Los De Aca
Premium,MVM
join:2003-12-20
Someshire | just delete the file referenced, it should give you the location it was found it.
Cudni |
|
