NICK ADSL UK
Premium,MVM
join:2004-02-22
| Flash Player update available to address security vulnerabil Flash Player update available to address security vulnerabilities
Release date: December 18, 2007
Vulnerability identifier: APSB07-20
CVE number: CVE-2007-6242, CVE-2007- 4768, CVE-2007-5275, CVE-2007- 6243, CVE-2007- 6244, CVE-2007- 6245, CVE-2007-4324, CVE-2007- 6246, CVE-2007-5476
Platform: All platforms
Affected software versions: Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier.
SummaryCritical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform.
Affected software versionsAdobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier.
To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
SolutionAdobe recommends all users of Adobe Flash Player 9.0.48.0 and earlier versions upgrade to the newest version 9.0.115.0 (Win, Mac, Linux), by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.
Adobe will be providing an update to Adobe Flash Player 9.0.47.0 for Solaris at a later date. Customers can download and install the Flash Player public beta, which addresses these vulnerabilities, from the Adobe Labs site in the meantime.
For customers who cannot upgrade to Adobe Flash Player 9, Adobe has developed a patched version of Flash Player 7. Please refer to the Flash Player update TechNote.
Severity ratingAdobe categorizes this as a critical update and recommends affected users upgrade to version 9.0.115.0 (Win, Mac, Linux).
DetailsMultiple input validation errors have been identified in Flash Player 9.0.48.0 and earlier versions that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2007- 4768, CVE-2007-6242)
This update introduces functionality to mitigate a potential issue could potentially aid an attacker in executing a DNS rebinding attack. For more information, see the following Adobe Developer Center article. (CVE-2007-5275)
This update introduces a new, stricter method for Flash Player to interpret cross-domain policy files. These changes could help prevent privilege escalation attacks against web servers hosting Flash content and cross-domain policy files. For more information, see the following Adobe Developer Center article. (CVE-2007- 6243)
This update restricts the unsupported asfunction: protocol to address potential cross-site scripting issues with some SWF files. This issue is specific to Flash Player 8 and Flash Player 9 and does not affect Flash Player 7. (CVE-2007-6244)
This update makes changes to the navigateToURL function to prevent potential Universal Cross-Site Scripting attacks. This issue is specific to the Flash Player ActiveX Control and the Internet Explorer Browser. (CVE-2007-6244)
This update resolves an issue that could allow remote attackers to modify HTTP headers of client requests and conduct HTTP Request Splitting attacks. (CVE-2007-6245)
This update introduces functionality to mitigate a potential port-scanning issue. For more information, see the following Knowledgebase Article. (CVE-2007-4324)
The Linux update for Flash Player addresses a memory permissions issue that could lead to privilege escalation. (CVE-2007-6246)
The Mac update for Flash Player addresses the issue with Flash Player originally reported by Opera and described in Security Advisory APSA07-05. (CVE-2007-5476)
»www.adobe.com/support/security/b···-20.html
download
»www.adobe.com/shockwave/download···aveFlash
--
Wilders Security Forum Admin
Microsoft MVP-Windows Security
| |
|
NICK ADSL UK
Premium,MVM
join:2004-02-22
1 edit | Re: Flash Player update available to address security vulnerabil With regards the above update please do make sure you are using the latest build. You can check that here. Also please note that this update was posted originally on the 3rd of December as to what has been updated remains unclear at this time as the build remains the same. None the less it is important to make sure you have this latest build
»www.adobe.com/products/flash/about/ | |
|
|
|
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH | Thanks Guys got it.  | |
|
SUMware
Premium
join:2002-05-21 | Looks like this is the same version that was released on Dec. 3. | |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX | Thanks for the info. | |
|
tjack
Premium
join:2003-10-13
Buffalo, NY
| If I'm reading the info posted by Nick correctly these are the only versions affected:
Affected software versions: Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier.
If you updated on Dec 3rd to the latest version you don't need to add this. | |
|
 | 
MarkAW
Barry White or lil bratt
Premium
join:2001-08-27
Canada
 ·Bell Sympatico
 ·Cogeco Cable
| Re: Flash Player update available to address security vulnerabil said by tjack  :If I'm reading the info posted by Nick correctly these are the only versions affected: Affected software versions: Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier. If you updated on Dec 3rd to the latest version you don't need to add this. That's what i was thinking as well,because i have had this update since December 4th 2007. So what are they trying to say that the 9.0.115.0 is vulnerable as well or what? 
--
Advertising is legalized lying. - H.G. Wells
Pleasure in the job puts perfection in the work. - Aristotle | |
|
| | 
AB
Premium
join:2006-04-04
Leesburg, VA
1 edit | Re: Flash Player update available to address security vulnerabil said by MarkAW :. . are they trying to say that the 9.0.115.0 is vulnerable as well or what? The Securia info I posted 2 posts above yours is dated the 19th of December, 2007, fwiw.
*Edit- Also, quoted from Nick's Original Post:
"Severity ratingAdobe categorizes this as a critical update and recommends affected users upgrade to version 9.0.115.0 (Win, Mac, Linux)." | |
|
| | |
MarkAW
Barry White or lil bratt
Premium
join:2001-08-27
Canada
·Bell Sympatico
·Cogeco Cable
1 edit | Re: Flash Player update available to address security vulnerabil AB thanks i saw your post and i was at the securia website earlier today using their scanner and wasn't warned about my Adobe Flash Player being out dated, plus i knew i had the latest version installed like i said since Dec 4th (15 days before this Adobe warning was posted). I guess what i am trying to say is why are they now posting this warning when people were asked to update to 9.0.115.0 15 days ago.
»[Update] Adobe Flash Player 9.0.115.0
--
Advertising is legalized lying. - H.G. Wells
Pleasure in the job puts perfection in the work. - Aristotle | |
|
| | | |
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: Flash Player update available to address security vulnerabil said by MarkAW :. . I guess what i am trying to say is why are they now posting this warning when people were asked to update to 9.0.115.0 15 days ago. I think it's unlikely that the vast majority update their Flash player within two or three weeks of a new version coming out, don't you? 
Half the computers in this world that have Flash probably still have a 6.x or 7.x version on them. | |
|
| | | | |
MarkAW
Barry White or lil bratt
Premium
join:2001-08-27
Canada | Re: Flash Player update available to address security vulnerabil Yeah i guess your right.
Thanks. | |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| »secunia.com/advisories/28161/
---------------------------
The vulnerabilities are reported in versions prior to 9.0.115.0.
Solution:
Update to version 9.0.115.0.
--------------------------- | |
|
Sindows 7
join:2006-09-13
Hope, BC | Why dont they say all the darn versions are vulnerable?
Every version they ever had gets toasted, cant they get it right? | |
|
noway1
join:2004-11-29 | Managed to get the Adobe Acrobat reader crapware off this computer by substituting PDF-XChange PDF Viewer. Anyone heard of any way to substitute something for the Adobe Flash crapware? (Sick of regular vulnerabilities requiring regular upgrades). | |
|
|
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: Flash Player update available to address security vulnerabil said by noway1 :. . Anyone heard of any way to substitute something for the Adobe Flash crapware? (Sick of regular vulnerabilities requiring regular upgrades). Microsoft Corp. now makes a competing crapware-- 'SilverLight' (or 'SilverNight', as Giorgio Maone, developer of the 'NoScript' extension for Firefox refers to it).
Whether or not it simply competes, or was designed as replacement crapware, I couldn't tell you off-hand. | |
|
redwolfe_98
join:2001-06-11
·RoadRunner Cable
| thanks for posting the notice, nick, about the flash player security vulnerability.. i didn't install the new flash player, before, because there was no information saying that the update was needed and, also, i looked in the adobe forums and some people were having problems with the new update, so i passed on it.. however, when the update is necessary, in order to address security vulnerabilities, then i update.. | |
|
mouse
Premium
join:2007-03-29
australia
| I did a security check via secunia and noticed that I had two versions of flashplayer installed. Adobe Flash and Macromedia Flash - these were listed individually with the recommendation to upgrade as per advice in this thread. I looked for detailed instructions on the adobe site but did not find anything. I then uninstalled via add/remove the only apparent version of the Adobe flashplayer and reinstalled the latest version 9.0.115.0.
Redoing the secunia scan, this is now shown as secure/correct version but I am still shown the additional version of Macromedia Flash Player 6.084.0. How can I get rid of this? I tried the uninstall mentioned somewhere earlier in this thread but this only took care of the new version? | |
|
| 
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | Re: Flash Player update available to address security vulnerabil just delete the file referenced, it should give you the location it was found it.
Cudni | |
|
| | 
lordpuffer
I Was Very Drunk At The Time
Premium
join:2004-09-19
West Hollywood, CA | Re: Flash Player update available to address security vulnerabil This may be a silly question, but how do I find the flash player to find out which version I have? I found it under add/remove programs, and all it says is "Adobe Flash Player 9 Active X." Thanks. | |
|
| | |
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| Re: Flash Player update available to address security vulnerabil as referenced in 2nd post
»www.adobe.com/products/flash/about/
also visit secunia site in case you have old version still lurking
Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
MVP, Microsoft Windows Security 2006-2007 | |
|
| | | |
lordpuffer
I Was Very Drunk At The Time
Premium
join:2004-09-19
West Hollywood, CA | Re: Flash Player update available to address security vulnerabil Thanks....Sorry.....Missed that. | |
|
| | | | | 
Millenniumle
join:2007-11-11
Fredonia, NY
2 edits | Re: Flash Player update available to address security vulnerabil For Windows IE ActiveX, go to: Windows>System32>Macromed>Flash. There you will find a file named Flash(x).ocx. Right click the file and select "Properties," then select the version tab.
A bit of a manual way to go about it, but.... when you're done checking the verion you can send it to the recycle bin where Flash unfortunately belongs these days, annoying advertisement vehicle that it is and all.  | |
|
| | | 
Bubba17
Less is More
Premium
join:2006-09-21
1 edit | Well, I see some methods have been mentioned for determining your Flash version.
As for being in Add or Remove Programs, if you click on your Flash entry, it'll display, "Click here for support information", which then displays the version info along with a link to "Adobe Systems Incorporated", if clicked. | |
|
|
|
|
