				 __________________________________________________________
	
						   The U.S. Department of Energy
					   Computer Incident Advisory Capability
							   ___  __ __    _     ___
							  /       |     /_\   /
							  \___  __|__  /   \  \___
				 __________________________________________________________
	
								 INFORMATION BULLETIN
	
			  HTTP Header Injection Vulnerabilities in Adobe Flash Player
									  [APSB06-18]
	
	November 16, 2006 18:00 GMT                                       Number R-049
	[REVISED 10 Jan 2007]
	[REVISED 13 Mar 2007]
	[REVISED 31 May 2007]
	[REVISED 15 June 2007]
	______________________________________________________________________________
	PROBLEM:       These vulnerabilities would allow remote attackers to modify 
				   HTTP headers of client requests and conduct HTTP Request 
				   Splitting attacks. 
	PLATFORM:      Adobe Flash Player 9.x, 8.x, and 7.x 
				   Red Hat Desktop (v. 3, 4) 
				   Enterprise Linux AS, ES, WS (v. 2.1, v.3, v.4)
				   Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
				   Solaris 8, 9, 10 Operating Systems 
    			   Mozilla v1.7
	DAMAGE:        These vulnerabilities would allow remote attackers to modify 
				   HTTP headers of client requests and conduct HTTP Request 
				   Splitting attacks. The flexibility of the attack varies 
				   depending on the type of web browser being used. 
	SOLUTION:      Apply current patches. 
	______________________________________________________________________________
	VULNERABILITY  The risk is LOW. These vulnerabilities would allow remote 
	ASSESSMENT:    attackers to modify HTTP headers of client requests and conduct 
				   HTTP Request Splitting attacks. The flexibility of the attack 
				   varies depending on the type of web browser being used. 
	______________________________________________________________________________
	LINKS: 
	 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/r-049.shtml 
	 ORIGINAL BULLETIN:  http://www.adobe.com/support/security/bulletins/apsb06-18.html 
	 ADDITIONAL LINKS:   Red Hat Security Advisory RHSA-2007:0009-3
						 http://rhn.redhat.com/errata/RHSA-2007-0009.html
						 Red Hat Security Advisory RHSA-2007:0077-6
						 http://rhn.redhat.com/errata/RHSA-2007-0077.html
						 Sun Alert ID: 102932
						 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102932-1
						 Sun Alert ID: 102955
     					 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102955-1
	 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5330 
	______________________________________________________________________________
	REVISION HISTORY:
	01/10/2007 - added a link to Red Hat Security Advisory RHSA-2007:0009-3 for Red Hat 
				 Enterprise Linux Extras versions 3 and 4
	03/13/2007 - revised R-049 to add a link to Red Hat Security Advisory RHSA-2007:0077-6
				 for Red Hat Desktop (v. 3, 4), Enterprise Linux AS, ES, WS (v. 2.1, 
				 v.3, v.4), and Red Hat Linux Advanced Workstation 2.1 for the 
				 Itanium Processor.
	05/31/2007 - revised R-049 to add a link to Sun Alert ID: 102932 for Solaris
				 10 Operating System.
	06/15/2007 - revised R-049 to add a link to Sun Alert ID: 102955 for Solaris
                 8, 9, 10 Operating Systems and Mozilla v1.7.
	
	
	
	[***** Start APSB06-18 *****]
	
	Security bulletin
	Update available for HTTP Header Injection Vulnerabilities in Adobe Flash Player
	
	Release date: November 14, 2006
	
	Vulnerability identifier: APSB06-18
	
	CVE number: CVE-2006-5330
	
	Platform: All Platforms
	Summary
	
	Adobe has provided a Flash Player 9 update to resolve vulnerabilities in Flash Player. These vulnerabilities would allow remote attackers to modify HTTP headers of client requests and conduct HTTP Request Splitting attacks.
	Affected software versions
	
	Adobe Flash Player 9.x, 8.x, and 7.x. The custom-header addition feature was added starting with Adobe Flash Player 7, thus Flash Player 6 and earlier are not affected.
	
	To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Macromedia Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
	Solution
	
	Adobe recommends all users of Adobe Flash Player 9.0.20.0 and earlier versions upgrade to the newest version 9.0.28.0, by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.
	
	For customers who cannot upgrade to Adobe Flash Player 9, Adobe is working on updates to previous versions that will resolve this issue. All documented security vulnerabilities and their solutions are distributed through the Adobe security notification service. You can sign up for the service by clicking here.
	Severity rating
	
	Adobe categorizes this as an important issue and recommends affected users upgrade to version 9.0.28.0.
	Details
	
	Adobe has provided an update to resolve vulnerabilities in Adobe Flash Player. These vulnerabilities would allow remote attackers to modify HTTP headers of client requests and conduct HTTP Request Splitting attacks. The flexibility of the attack varies depending on the type of web browser being used.
	Adobe disclaimer
	License agreement
	
	By using software of Adobe Systems Incorporated or its subsidiaries ("Adobe"); you agree to the following terms and conditions. If you do not agree with such terms and conditions; do not use the software. The terms of an end user license agreement accompanying a particular software file upon installation or download of the software shall supersede the terms presented below.
	
	The export and re-export of Adobe software products are controlled by the United States Export Administration Regulations and such software may not be exported or re-exported to Cuba; Iran; Iraq; Libya; North Korea; Sudan; or Syria or any country to which the United States embargoes goods. In addition; Adobe software may not be distributed to persons on the Table of Denial Orders; the Entity List; or the List of Specially Designated Nationals.
	
	By downloading or using an Adobe software product you are certifying that you are not a national of Cuba; Iran; Iraq; Libya; North Korea; Sudan; or Syria or any country to which the United States embargoes goods and that you are not a person on the Table of Denial Orders; the Entity List; or the List of Specially Designated Nationals.
	
	If the software is designed for use with an application software product (the "Host Application") published by Adobe; Adobe grants you a non-exclusive license to use such software with the Host Application only; provided you possess a valid license from Adobe for the Host Application. Except as set forth below; such software is licensed to you subject to the terms and conditions of the End User License Agreement from Adobe governing your use of the Host Application.
	
	DISCLAIMER OF WARRANTIES: YOU AGREE THAT ADOBE HAS MADE NO EXPRESS WARRANTIES TO YOU REGARDING THE SOFTWARE AND THAT THE SOFTWARE IS BEING PROVIDED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. ADOBE DISCLAIMS ALL WARRANTIES WITH REGARD TO THE SOFTWARE; EXPRESS OR IMPLIED; INCLUDING; WITHOUT LIMITATION; ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE; MERCHANTABILITY; MERCHANTABLE QUALITY OR NONINFRINGEMENT OF THIRD PARTY RIGHTS. Some states or jurisdictions do not allow the exclusion of implied warranties; so the above limitations may not apply to you.
	
	LIMIT OF LIABILITY: IN NO EVENT WILL ADOBE BE LIABLE TO YOU FOR ANY LOSS OF USE; INTERRUPTION OF BUSINESS; OR ANY DIRECT; INDIRECT; SPECIAL; INCIDENTAL; OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST PROFITS) REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT; TORT (INCLUDING NEGLIGENCE); STRICT PRODUCT LIABILITY OR OTHERWISE; EVEN IF ADOBE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some states or jurisdictions do not allow the exclusion or limitation of incidental or consequential damages; so the above limitation or exclusion may not apply to you.
	
	[***** End APSB06-18 *****]
	_______________________________________________________________________________
	
	CIAC wishes to acknowledge the contributions of Adobe for the 
	information contained in this bulletin.
	_______________________________________________________________________________
	
	
	CIAC, the Computer Incident Advisory Capability, is the computer
	security incident response team for the U.S. Department of Energy
	(DOE) and the emergency backup response team for the National
	Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
	National Laboratory in Livermore, California. CIAC is also a founding
	member of FIRST, the Forum of Incident Response and Security Teams, a
	global organization established to foster cooperation and coordination
	among computer security teams worldwide.
	
	CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
	can be contacted at:
		Voice:    +1 925-422-8193 (7x24)
		FAX:      +1 925-423-8002
		STU-III:  +1 925-423-2604
		E-mail:   ciac@ciac.org
	
	Previous CIAC notices, anti-virus software, and other information are
	available from the CIAC Computer Security Archive.
	
	   World Wide Web:      http://www.ciac.org/
	   Anonymous FTP:       ftp.ciac.org
	
	PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
	communities receive CIAC bulletins.  If you are not part of these
	communities, please contact your agency's response team to report
	incidents. Your agency's team will coordinate with CIAC. The Forum of
	Incident Response and Security Teams (FIRST) is a world-wide
	organization. A list of FIRST member organizations and their
	constituencies can be obtained via WWW at http://www.first.org/.
	
	This document was prepared as an account of work sponsored by an
	agency of the United States Government. Neither the United States
	Government nor the University of California nor any of their
	employees, makes any warranty, express or implied, or assumes any
	legal liability or responsibility for the accuracy, completeness, or
	usefulness of any information, apparatus, product, or process
	disclosed, or represents that its use would not infringe privately
	owned rights. Reference herein to any specific commercial products,
	process, or service by trade name, trademark, manufacturer, or
	otherwise, does not necessarily constitute or imply its endorsement,
	recommendation or favoring by the United States Government or the
	University of California. The views and opinions of authors expressed
	herein do not necessarily state or reflect those of the United States
	Government or the University of California, and shall not be used for
	advertising or product endorsement purposes.
	
	LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
	
	R-039: Vulnerabilities in Client Service for NetWare
	R-040: Cumulative Security Update for Internet Explorer
	R-041: Vulnerability in Microsoft Agent
	R-042: Vulnerabilities in Macromedia Flash Player from Adobe
	R-043: Vulnerability in Workstation Service
	R-044: Vulnerability in Microsoft XML Core Services
	R-045: WinZip FileView ActiveX Control
	R-046: Elinks Security Update
	R-047: Citrix Advanced Access Control
	R-048: Citrix Access Gateway