Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > November 2008 > 3710 - Flash Player update available to address security vulnerabilities

November 2008

3710 - Flash Player update available to address security vulnerabilities

ID: 3710
Date: 07/11/2008
Title: 3710 - Flash Player update available to address security vulnerabilities
Platform level affected:Net Application - Client
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Net-enabled software: Other
Security software:Other
Other software: Other
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Adobe
Applications affected:Adobe Flash Player
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Active
Potential Damage: Remote execution/modification
Possible Duration: Open Ended
Availability of fix: Available
Type of fix: Patch
Source: Adobe
Reliability of source: Trusted
Source URL: http://www.adobe.com/support/security/bulletins/apsb08-20.html
CVE: CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823
Abstract:

Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. No action is required by customers who have already updated to Flash Player 10.0.12.36. The Flash Player 9.0.151.0 update addresses the issues previously reported in Security Bulletin APSB08-18 in addition to the issues outlined in this Security Bulletin.


Flash Player update available to address security vulnerabilities

Release date: November 5, 2008

Vulnerability identifier: APSB08-20

CVE number: CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823

Platform: All Platforms

Summary
Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. No action is required by customers who have already updated to Flash Player 10.0.12.36. The Flash Player 9.0.151.0 update addresses the issues previously reported in Security Bulletin APSB08-18 in addition to the issues outlined in this Security Bulletin.

Affected software versions
Adobe Flash Player 9.0.124.0 and earlier.

To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Solution
Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to the newest version 10.0.12.36 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.151.0, which can be downloaded from the following link.

Severity rating
Adobe categorizes this as a critical update due to the issues previously outlined in Security Bulletin APSB08-18 and recommends affected users upgrade to version 10.0.12.36.

Details
In addition to the issues previously reported in Security Bulletin APSB08-18, the Flash Player 10.0.12.36 and Flash Player 9.0.151.0 updates address the issues outlined below.

This update includes a change to the way Flash Player interprets HTTP response headers to prevent a potential cross-site scripting attack. (CVE-2008-4818)

This update introduces a change to mitigate a potential issue that could aid an attacker in executing a DNS rebinding attack. (CVE-2008-4819)

This update introduces stricter interpretation of an ActionScipt attribute to prevent a potential HTML injection issue. (CVE-2008-4823)

This update prevents an issue with policy file interpretation that could potentially lead to bypass of a non-root domain policy. (CVE-2008-4822)

This update prevents an issue with the Flash Player interpretation of jar: protocol on Mozilla browsers that could potentially lead to information disclosure. (CVE-2008-4821)

This update prevents a potential Windows-only information disclosure issue in the Flash Player ActiveX control. (CVE-2008-4820)

 Affected software Recommended player update  Availability
 Flash Player 9.0.124.0 and earlier  10.0.12.36  Player Download Center
 Flash Player 9.0.124.0 and earlier - network distribution  10.0.12.36  Player Licensing
 Flash Player 9.0.124.0 and earlier for Linux  10.0.12.36  Player Download Center
 Flash CS4 Professional  10.0.12.36  Adobe Flash Player 10 Update for Flash CS4 Professional
 Flex 3  10.0.12.36  Flash Debug Player Updater
 
Acknowledgments
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers' security:

Adan Barth of UC Berkeley and Collin Jackson of Stanford University (CVE-2008-4818)
Nathan McFeters and Rob Carter of Ernst and Young's Advanced Security Center (CVE-2008-4819)
Stefano Di Paola of Minded Security (CVE-2008-4823)
Alex "kuza55" K. (CVE-2008-4822)
Gregory Fleischer of pseudo-flaw.net (CVE-2008-4821)
Manuel Caballero (CVE-2008-4820)

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.

Fri, 07 Nov 2008 16:00:00 GMT
Domain affected: Technical
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |