Release date: October 15, 2008
Vulnerability identifier: APSB08-18
CVE number: CVE-2007-6243, CVE-2008-3873, CVE-2007-4324, CVE-2008-4401, CVE-2008-4503
Platform: All Platforms
Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. Due to the possibility that these security enhancements and changes may impact existing content, customers are advised to review this Adobe Developer Center article to determine if their content will be impacted, and to begin implementing necessary changes immediately to help ensure a seamless transition.
This update addresses the issue previously reported in Security Bulletin APSA08-08.
Adobe Flash Player 9.0.124.0 and earlier.
To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to the newest version 10.0.12.36 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted. Adobe will be providing an update to Flash Player 9 for customers who cannot upgrade to Flash Player 10 in early November. This Security Bulletin will be updated once the Flash Player 9 update is available.
Adobe categorizes this as a critical update and recommends affected users upgrade to version 10.0.12.36.
Due to the possibility that these security enhancements and changes may impact existing content, customers are advised to review this Adobe Developer Connection article to determine if their content will be impacted, and to begin implementing necessary changes immediately to help ensure a seamless transition.
This update addresses a potential ‘Clickjacking’ issue in Flash Player. Clickjacking is an issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. This update helps prevent a Clickjacking attack on a Flash Player user’s camera and microphone. (CVE-2008-4503)
This update includes further changes to enhance Flash Player’s interpretation of cross-domain policy files. These changes could help prevent privilege escalation attacks against web servers hosting Flash content and cross-domain policy files. For more information, see the following section of the “Adobe Flash Player 10 Security Changes” Adobe Developer Connection article. (CVE-2007-6243)
This update introduces functionality to further mitigate a potential port-scanning issue. For more information, see the following Adobe Developer Connection article. (CVE-2007-4324)
This update introduces changes to the Clipboard API that will prevent potential ‘Clipboard attacks’. For more information, see the following section of the "Adobe Flash Player 10 Security Changes" Adobe Developer Center article. (CVE-2008-3873)
This update introduces changes to the FileReference upload and download APIs to require user interaction. For more information, see the following section of the “Adobe Flash Player 10 Security Changes” Adobe Developer Connection article. (CVE-2008-4401)
Adobe will be providing an update to Flash Player 9 for customers who cannot upgrade to Flash Player 10 in early November. This Security Bulletin will be updated once the Flash Player 9 update is available. All documented security vulnerabilities and their solutions are distributed through the Adobe security notification service. You can sign up for the service at the following URL: http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert Users may also monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt
Affected software |
Recommended player update |
Availability |
Flash Player 9.0.124.0 and earlier |
10.0.12.36 |
|
Flash Player 9.0.124.0 and earlier - network distribution |
10.0.12.36 |
|
Flash Player 9.0.124.0 and earlier for Linux |
10.0.12.36 |
Adobe would like to thank Robert Hansen of SecTheory and Jeremiah Grossman of WhiteHat Security, Eduardo Vela, Matthew Mastracci of DotSpots, and Liu Die Yu of TopsecTianRongXin for reporting the Clickjacking vulnerability and for working with us to help protect our customers' security. (CVE-2008-4503)
Adobe would like to thank fukami of SektionEins for reporting the port-scanning issue. (CVE-2007-4324)
By using software of Adobe Systems Incorporated or its subsidiaries ("Adobe"); you agree to the following terms and conditions. If you do not agree with such terms and conditions; do not use the software. The terms of an end user license agreement accompanying a particular software file upon installation or download of the software shall supersede the terms presented below.
The export and re-export of Adobe software products are controlled by the United States Export Administration Regulations and such software may not be exported or re-exported to Cuba; Iran; Iraq; Libya; North Korea; Sudan; or Syria or any country to which the United States embargoes goods. In addition; Adobe software may not be distributed to persons on the Table of Denial Orders; the Entity List; or the List of Specially Designated Nationals.
By downloading or using an Adobe software product you are certifying that you are not a national of Cuba; Iran; Iraq; Libya; North Korea; Sudan; or Syria or any country to which the United States embargoes goods and that you are not a person on the Table of Denial Orders; the Entity List; or the List of Specially Designated Nationals. If the software is designed for use with an application software product (the "Host Application") published by Adobe; Adobe grants you a non-exclusive license to use such software with the Host Application only; provided you possess a valid license from Adobe for the Host Application. Except as set forth below; such software is licensed to you subject to the terms and conditions of the End User License Agreement from Adobe governing your use of the Host Application.
DISCLAIMER OF WARRANTIES: YOU AGREE THAT ADOBE HAS MADE NO EXPRESS WARRANTIES TO YOU REGARDING THE SOFTWARE AND THAT THE SOFTWARE IS BEING PROVIDED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. ADOBE DISCLAIMS ALL WARRANTIES WITH REGARD TO THE SOFTWARE; EXPRESS OR IMPLIED; INCLUDING; WITHOUT LIMITATION; ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE; MERCHANTABILITY; MERCHANTABLE QUALITY OR NONINFRINGEMENT OF THIRD PARTY RIGHTS. Some states or jurisdictions do not allow the exclusion of implied warranties; so the above limitations may not apply to you.
LIMIT OF LIABILITY: IN NO EVENT WILL ADOBE BE LIABLE TO YOU FOR ANY LOSS OF USE; INTERRUPTION OF BUSINESS; OR ANY DIRECT; INDIRECT; SPECIAL; INCIDENTAL; OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST PROFITS) REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT; TORT (INCLUDING NEGLIGENCE); STRICT PRODUCT LIABILITY OR OTHERWISE; EVEN IF ADOBE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some states or jurisdictions do not allow the exclusion or limitation of incidental or consequential damages; so the above limitation or exclusion may not apply to you.
