Reviews:
 ·Zen Internet
| Flash Player update available to address security vulnerabil Flash Player update available to address security vulnerabilities
Release date: December 18, 2007
Vulnerability identifier: APSB07-20
CVE number: CVE-2007-6242, CVE-2007- 4768, CVE-2007-5275, CVE-2007- 6243, CVE-2007- 6244, CVE-2007- 6245, CVE-2007-4324, CVE-2007- 6246, CVE-2007-5476
Platform: All platforms
Affected software versions: Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier.
SummaryCritical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform.
Affected software versionsAdobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier.
To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
SolutionAdobe recommends all users of Adobe Flash Player 9.0.48.0 and earlier versions upgrade to the newest version 9.0.115.0 (Win, Mac, Linux), by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.
Adobe will be providing an update to Adobe Flash Player 9.0.47.0 for Solaris at a later date. Customers can download and install the Flash Player public beta, which addresses these vulnerabilities, from the Adobe Labs site in the meantime.
For customers who cannot upgrade to Adobe Flash Player 9, Adobe has developed a patched version of Flash Player 7. Please refer to the Flash Player update TechNote.
Severity ratingAdobe categorizes this as a critical update and recommends affected users upgrade to version 9.0.115.0 (Win, Mac, Linux).
DetailsMultiple input validation errors have been identified in Flash Player 9.0.48.0 and earlier versions that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2007- 4768, CVE-2007-6242)
This update introduces functionality to mitigate a potential issue could potentially aid an attacker in executing a DNS rebinding attack. For more information, see the following Adobe Developer Center article. (CVE-2007-5275)
This update introduces a new, stricter method for Flash Player to interpret cross-domain policy files. These changes could help prevent privilege escalation attacks against web servers hosting Flash content and cross-domain policy files. For more information, see the following Adobe Developer Center article. (CVE-2007- 6243)
This update restricts the unsupported asfunction: protocol to address potential cross-site scripting issues with some SWF files. This issue is specific to Flash Player 8 and Flash Player 9 and does not affect Flash Player 7. (CVE-2007-6244)
This update makes changes to the navigateToURL function to prevent potential Universal Cross-Site Scripting attacks. This issue is specific to the Flash Player ActiveX Control and the Internet Explorer Browser. (CVE-2007-6244)
This update resolves an issue that could allow remote attackers to modify HTTP headers of client requests and conduct HTTP Request Splitting attacks. (CVE-2007-6245)
This update introduces functionality to mitigate a potential port-scanning issue. For more information, see the following Knowledgebase Article. (CVE-2007-4324)
The Linux update for Flash Player addresses a memory permissions issue that could lead to privilege escalation. (CVE-2007-6246)
The Mac update for Flash Player addresses the issue with Flash Player originally reported by Opera and described in Security Advisory APSA07-05. (CVE-2007-5476)
»www.adobe.com/support/security/b···-20.html
download
»www.adobe.com/shockwave/download···aveFlash
--
Wilders Security Forum Admin
Microsoft MVP-Windows Security
|
|
Reviews:
·Zen Internet
1 edit | With regards the above update please do make sure you are using the latest build. You can check that here. Also please note that this update was posted originally on the 3rd of December as to what has been updated remains unclear at this time as the build remains the same. None the less it is important to make sure you have this latest build
»www.adobe.com/products/flash/about/ |
|
| reply to NICK ADSL UK
The Linux update for Flash Player addresses a memory permissions issue that could lead to privilege escalation. (CVE-2007-6246) 
»www.adobe.com/support/security/b···-20.html |
|
 Grail KnightQui audet adipisciturPremium
join:2003-05-31
Valhalla
kudos:6
 ·Time Warner Cable
| reply to NICK ADSL UK
Thanks.
The Flash Player Uninstaller is available from here:
»www.adobe.com/shockwave/download/alternates/
Users should also check their Flash Player Security settings after updating.
Flash Player Security Panel
--
"It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts." - Sherlock Holmes |
|
 MagManLife is simpler when you tell the truth.Premium
join:2003-10-01
Westlake, OH | reply to NICK ADSL UK
Thanks Guys got it.  |
|
SUMwarePremium
join:2002-05-21
kudos:2 | reply to NICK ADSL UK
Looks like this is the same version that was released on Dec. 3. |
|
 koma3504AdvocatePremium
join:2004-06-22
North Richland Hills, TX | reply to NICK ADSL UK
Thanks for the info. |
|
tjackPremium
join:2003-10-13
Buffalo, NY | reply to NICK ADSL UK
If I'm reading the info posted by Nick correctly these are the only versions affected:
Affected software versions: Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier.
If you updated on Dec 3rd to the latest version you don't need to add this. |
|
|
|
 ABPremium
join:2006-04-04
Leesburg, VA
kudos:3
·Verizon Online DSL
| reply to NICK ADSL UK
»secunia.com/advisories/28161/
---------------------------
The vulnerabilities are reported in versions prior to 9.0.115.0.
Solution:
Update to version 9.0.115.0.
--------------------------- |
|
| reply to NICK ADSL UK
Why dont they say all the darn versions are vulnerable?
Every version they ever had gets toasted, cant they get it right?  |
|
 MarkAWBarry WhitePremium
join:2001-08-27
Canada
kudos:16 | reply to tjack
said by tjack:If I'm reading the info posted by Nick correctly these are the only versions affected: Affected software versions: Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier. If you updated on Dec 3rd to the latest version you don't need to add this. That's what i was thinking as well,because i have had this update since December 4th 2007. So what are they trying to say that the 9.0.115.0 is vulnerable as well or what?
--
Advertising is legalized lying. - H.G. Wells
Pleasure in the job puts perfection in the work. - Aristotle |
|
ABPremium
join:2006-04-04
Leesburg, VA
kudos:3 Reviews:
·Verizon Online DSL
1 edit | said by MarkAW:. . are they trying to say that the 9.0.115.0 is vulnerable as well or what? The Securia info I posted 2 posts above yours is dated the 19th of December, 2007, fwiw.
*Edit- Also, quoted from Nick's Original Post:
"Severity ratingAdobe categorizes this as a critical update and recommends affected users upgrade to version 9.0.115.0 (Win, Mac, Linux)." |
|
| reply to NICK ADSL UK
Managed to get the Adobe Acrobat reader crapware off this computer by substituting PDF-XChange PDF Viewer. Anyone heard of any way to substitute something for the Adobe Flash crapware? (Sick of regular vulnerabilities requiring regular upgrades). |
|
MarkAWBarry WhitePremium
join:2001-08-27
Canada
kudos:16
1 edit | reply to AB
AB thanks i saw your post and i was at the securia website earlier today using their scanner and wasn't warned about my Adobe Flash Player being out dated, plus i knew i had the latest version installed like i said since Dec 4th (15 days before this Adobe warning was posted). I guess what i am trying to say is why are they now posting this warning when people were asked to update to 9.0.115.0 15 days ago.
»[Update] Adobe Flash Player 9.0.115.0
--
Advertising is legalized lying. - H.G. Wells
Pleasure in the job puts perfection in the work. - Aristotle |
|
ABPremium
join:2006-04-04
Leesburg, VA
kudos:3 Reviews:
·Verizon Online DSL
| said by MarkAW:. . I guess what i am trying to say is why are they now posting this warning when people were asked to update to 9.0.115.0 15 days ago. I think it's unlikely that the vast majority update their Flash player within two or three weeks of a new version coming out, don't you? 
Half the computers in this world that have Flash probably still have a 6.x or 7.x version on them. |
|
MarkAWBarry WhitePremium
join:2001-08-27
Canada
kudos:16 | Yeah i guess your right.
Thanks. |
|
ABPremium
join:2006-04-04
Leesburg, VA
kudos:3 Reviews:
·Verizon Online DSL
| reply to noway1
said by noway1:. . Anyone heard of any way to substitute something for the Adobe Flash crapware? (Sick of regular vulnerabilities requiring regular upgrades). Microsoft Corp. now makes a competing crapware-- 'SilverLight' (or 'SilverNight', as Giorgio Maone, developer of the 'NoScript' extension for Firefox refers to it).
Whether or not it simply competes, or was designed as replacement crapware, I couldn't tell you off-hand. |
|
| reply to NICK ADSL UK
thanks for posting the notice, nick, about the flash player security vulnerability.. i didn't install the new flash player, before, because there was no information saying that the update was needed and, also, i looked in the adobe forums and some people were having problems with the new update, so i passed on it.. however, when the update is necessary, in order to address security vulnerabilities, then i update.. |
|
 mousePremium
join:2007-03-29
australia | reply to NICK ADSL UK
I did a security check via secunia and noticed that I had two versions of flashplayer installed. Adobe Flash and Macromedia Flash - these were listed individually with the recommendation to upgrade as per advice in this thread. I looked for detailed instructions on the adobe site but did not find anything. I then uninstalled via add/remove the only apparent version of the Adobe flashplayer and reinstalled the latest version 9.0.115.0.
Redoing the secunia scan, this is now shown as secure/correct version but I am still shown the additional version of Macromedia Flash Player 6.084.0. How can I get rid of this? I tried the uninstall mentioned somewhere earlier in this thread but this only took care of the new version? |
|
 CudniLa Merma - VigiladoPremium,MVM
join:2003-12-20
Someshire
kudos:13 | just delete the file referenced, it should give you the location it was found it.
Cudni |
|
