Accessibility

Security advisory

Potential vulnerability in Flash CS3 Professional, Flash Professional 8 and Flash Basic 8

Release date: March 19, 2008

Vulnerability identifier: APSA08-03

CVE number: CVE-2008-1201

Platform: Windows

Summary

Adobe is aware of a recently published security issue in Flash CS3 Professional, Flash Professional 8 and Flash Basic 8 that could potentially cause code execution. This issue does not affect any version of Flash Player. An attacker would need to convince a user to open a malicious FLA file to successfully exploit the issue.

Details

An attacker would need to convince a user to open a malicious FLA file to successfully exploit the issue. Adobe recommends that developers exercise caution when receiving unsolicited or suspicious FLA files. This issue does not affect the Mac versions of Flash Professional and Flash Basic.

FLA is the private file format of Flash Professional and Flash Basic. Flash Player and browsers can not interpret FLA files, so remote exploitation is not possible, and this issue does not affect any version of Flash Player. It is uncommon to find FLA files on web sites other than well-known web sites that include downloadable FLA files as tutorials for Flash users. FLA files can not be interpreted or viewed natively by Operating Systems such as Windows or Mac OS. Adobe will be fixing this issue in the next major release of Flash Professional.

Severity Rating

Adobe categorizes this as a critical issue and recommends that developers exercise caution when receiving unsolicited or suspicious FLA files.

Acknowledgments

Adobe would like to thank cocoruder of Fortinet Security Research Team for reporting this vulnerability and for working with us to help protect our customers' security.