__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Flash Player Vulnerability [APSB07-12] July 12, 2007 15:00 GMT Number R-300 ______________________________________________________________________________ PROBLEM: Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. PLATFORM: Adobe Flash Player 9.0.45.0 and earlier 8.0.34.0 and earlier 7.0.69.0 and earlier DAMAGE: An attacker could take control of the affected system and potentially execute arbitrary code. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Execution of arbitrary code. ASSESSMENT: ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-300.shtml ORIGINAL BULLETIN: http://www.adobe.com/support/security/bulletins/apsb07-12.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-3456 CVE-2007-3457 CVE-2007-2022 ______________________________________________________________________________ [***** Start APSB07-12 *****] Security bulletin Flash Player update available to address security vulnerabilities Release date: July 10, 2007 Vulnerability identifier: APSB07-12 CVE number: CVE-2007-3456, CVE-2007-3457, CVE-2007-2022 Platform: All platforms SummaryCritical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform. Affected software versionsAdobe Flash Player 9.0.45.0 and earlier, 8.0.34.0 and earlier, and 7.0.69.0 and earlier. To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system. SolutionAdobe recommends all users of Adobe Flash Player 9.0.45.0 and earlier versions upgrade to the newest version 9.0.47.0 (Win, Mac, Solaris) or 9.0.48.0 (Linux), by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted. For customers who cannot upgrade to Adobe Flash Player 9, Adobe has developed a patched version of Flash Player 7. Please refer to the Flash Player update TechNote. Severity ratingAdobe categorizes this as a critical issue and recommends affected users upgrade to version 9.0.47.0 (Win, Mac, Solaris) or 9.0.48.0 (Linux). DetailsAn input validation error has been identified in Flash Player 9.0.45.0 and earlier versions that could lead to the potential execution of arbitrary code. This vulnerability could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2007-3456) An issue with insufficient validation of the HTTP Referer has been identified in Flash Player 8.0.34.0 and earlier. This issue does not affect Flash Player 9. This issue could potentially aid an attacker in executing a cross-site request forgery attack. (CVE-2007-3457) The Linux and Solaris updates for Flash Player 7 (7.0.70.0) address the issues with Flash Player and the Opera and Konqueror browsers described in Security Advisory APSA07-03. These issues do not impact Flash Player 9 on Linux or Solaris. (CVE-2007-2022) Affected software Recommended player update Availability Flash Player 9.0.45.0 and earlier 9.0.47.0 Player Download Center Flash Player 9.0.45.0 and earlier — network distribution 9.0.47.0 Player Licensing Flash Player 9.0.45.0 and earlier for Linux 9.0.48.0 Player Download Center Flash CS3 Professional 9.0.47.0 Flash Player 9 Update for Flash CS3 Professional Flash Professional 8, Flash Basic 8.0.35.0 Flash Player 8 Update for Flash Professional 8, Flash Basic Flex 2.0 9.0.47.0 Flash Debug Player Updater AcknowledgmentsAdobe would like to thank Stefano DiPaola, Elia Florio and Giorgio Fedon for reporting the input validation error (CVE-2007-3456) and for working with us to help protect our customers’ security. Adobe would like to thank Daiki Fukumori of Secure Sky Technology, Inc. for reporting the HTTP Referer vulnerability (CVE-2007-3457) and for working with us to help protect our customers' security. Adobe would like to thank Mark Hills for reporting the issues with Flash Player and the Opera and Konqueror browsers previously described in Security Advisory APSA07-03 (CVE-2007-2022) and for working with Opera to help protect our mutual customers' security. RevisionsJuly 10, 2007 — Security bulletin first created. [***** End APSB07-12 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Adobe for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-290: cman Security Update R-291: Evollution Data Server Vulnerability R-292: gfax R-293: HP Instant Support - Driver Check Running on Windows XP R-294: Vulnerability in Windows Active Directory (926122) R-295: Vulnerabilities in .NET Framework (931212) R-296: Vulnerability in Microsoft Internet Information Services (939373) R-297: Vulnerabilities in Microsoft Excel (936542) R-298: Vulnerability in Windows Vista Firewall (935807) R-299: Vulnerability in Microsoft Office Publisher 2007 (936548)