Accessibility

Security bulletin

Flash Player update available to address security vulnerabilities

Release date: October 15, 2008

Vulnerability identifier: APSB08-18

CVE number: CVE-2007-6243, CVE-2008-3873, CVE-2007-4324, CVE-2008-4401, CVE-2008-4503

Platform: All Platforms

Summary

Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. Due to the possibility that these security enhancements and changes may impact existing content, customers are advised to review this Adobe Developer Center article to determine if their content will be impacted, and to begin implementing necessary changes immediately to help ensure a seamless transition.

This update addresses the issue previously reported in Security Advisory APSA08-08. The Flash Player 10.0.12.36 and Flash Player 9.0.151.0 updates also address the issues outlined in Security Bulletins APSB08-20 and APSB08-22.

Revisions

November 17, 2008 – Bulletin updated with information on the AIR 1.5 update and Security Bulletin APSB08-22
November 5, 2008 – Bulletin updated with information on the Flash Player 9.0.151.0 update
October 15, 2008 – Bulletin first created

Affected software versions

Adobe Flash Player 9.0.124.0 and earlier.

To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Solution

Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to the newest version 10.0.12.36 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.151.0, which can be downloaded from the following link.

Severity rating

Adobe categorizes this as a critical update and recommends affected users upgrade to version 10.0.12.36.

Details

Due to the possibility that these security enhancements and changes may impact existing content, customers are advised to review this Adobe Developer Connection article to determine if their content will be impacted, and to begin implementing necessary changes immediately to help ensure a seamless transition.

The Flash Player 10.0.12.36 and Flash Player 9.0.151.0 updates also address the issues outlined in Security Bulletins APSB08-20 and APSB08-22.

This update addresses a potential ‘Clickjacking’ issue in Flash Player. Clickjacking is an issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. This update helps prevent a Clickjacking attack on a Flash Player user’s camera and microphone. (CVE-2008-4503)

This update includes further changes to enhance Flash Player’s interpretation of cross-domain policy files. These changes could help prevent privilege escalation attacks against web servers hosting Flash content and cross-domain policy files. For more information, see the following section of the “Adobe Flash Player 10 Security Changes” Adobe Developer Connection article. (CVE-2007-6243)

This update introduces functionality to further mitigate a potential port-scanning issue. For more information, see the following Adobe Developer Connection article. (CVE-2007-4324)

This update introduces changes to the Clipboard API that will prevent potential ‘Clipboard attacks’. For more information, see the following section of the "Adobe Flash Player 10 Security Changes" Adobe Developer Center article. (CVE-2008-3873)

This update introduces changes to the FileReference upload and download APIs to require user interaction. For more information, see the following section of the “Adobe Flash Player 10 Security Changes” Adobe Developer Connection article. (CVE-2008-4401)

Affected software

Recommended player update

Availability

Flash Player 9.0.124.0 and earlier

10.0.12.36

Player Download Center

Flash Player 9.0.124.0 and earlier - network distribution

10.0.12.36

Player Licensing

Flash Player 9.0.124.0 and earlier for Linux

10.0.12.36

Player Download Center

AIR 1.1

AIR 1.5

AIR Download Center

Flash CS4 Professional

10.0.12.36

Adobe Flash Player 10 Update for Flash CS4 Professional

Flex 3

10.0.12.36

Flash Debug Player Updater

 

Acknowledgments

Adobe would like to thank Robert Hansen of SecTheory and Jeremiah Grossman of WhiteHat Security, Eduardo Vela, Matthew Mastracci of DotSpots, and Liu Die Yu of TopsecTianRongXin for reporting the Clickjacking vulnerability and for working with us to help protect our customers' security. (CVE-2008-4503)

Adobe would like to thank fukami of SektionEins for reporting the port-scanning issue. (CVE-2007-4324)