
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                        Adobe Flash Player Vulnerability
                      [Adobe Security Advisory: APSB07-20]

December 21, 2007 21:00 GMT                                       Number S-092
[REVISED 23 Jan 2008]
[REVISED 28 Apr 2008]
______________________________________________________________________________
PROBLEM:       Critical vulnerabilities have been identified in Adobe Flash 
               Player that could allow an attacker who successfully exploits 
               these potential vulnerabilities to take control of the affected 
               system. 
PLATFORM:      Adobe Flash Player 
                 9.0.48.0 and earlier 
				 8.0.35.0 and earlier 
                 7.0.70.0 and earlier 
DAMAGE:        Could lead to the potential execution of arbitrary code. 
SOLUTION:      UPgrade to the appropriate version. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. Could lead to the potential execution of 
ASSESSMENT:    arbitrary code. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/s-092.shtml 
 ORIGINAL BULLETIN:  http://www.adobe.com/support/security/bulletins/apsb07-20.html 
 ADDITIONAL LINKS:   http://www.securityfocus.com/bid/25260
                     http://www.securityfocus.com/bid/26930
					 http://www.securityfocus.com/bid/26949
					 http://www.securityfocus.com/bid/26951
					 http://www.securityfocus.com/bid/26960
					 http://www.securityfocus.com/bid/26965
					 http://www.securityfocus.com/bid/26966
					 http://www.securityfocus.com/bid/26969
					 http://www.adobe.com/support/security/bulletins/apsb08-01.html
					 http://www.adobe.com/support/security/bulletins/apsb08-02.html
					 http://www.adobe.com/support/security/bulletins/apsb08-11.html
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CVE-2007-4324 CVE-2007-4768 CVE-2007-5275 CVE-2007-5476 
                     CVE-2007-6242 CVE-2007-6243 CVE-2007-6244 CVE-2007-6245 
                     CVE-2007-6246 
______________________________________________________________________________
REVISION HISTORY:
01/23/2008 - revised S-092 to add links to: Security Focus 25260, 26930, 26949, 
             26951, 26960, 26965, 26966, 26969; and Adobe Security Advisories 
			 APSB08-01 and APSB08-02.
04/28/2008 - revised S-092 to add link to Adobe Security Advisory APSB08-11.



[***** Start Adobe Security Advisory: APSB07-20 *****]

Flash Player update available to address security vulnerabilities
Release date: December 18, 2007

Vulnerability identifier: APSB07-20

CVE number: CVE-2007-6242, CVE-2007- 4768, CVE-2007-5275, CVE-2007- 6243, 
CVE-2007- 6244, CVE-2007- 6245, CVE-2007-4324, CVE-2007- 6246, CVE-2007-5476

Platform: All platforms

Affected software versions: Adobe Flash Player 9.0.48.0 and earlier, 
8.0.35.0 and earlier, and 7.0.70.0 and earlier.

Summary
Critical vulnerabilities have been identified in Adobe Flash Player that 
could allow an attacker who successfully exploits these potential 
vulnerabilities to take control of the affected system. A malicious SWF 
must be loaded in Flash Player by the user for an attacker to exploit 
these potential vulnerabilities. Users are recommended to update to the 
most current version of Flash Player available for their platform.

Affected software versions
Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 
7.0.70.0 and earlier. 

To verify the Adobe Flash Player version number, access the About Flash 
Player page, or right-click on Flash content and select "About Adobe 
(or Macromedia) Flash Player" from the menu. If you use multiple browsers, 
perform the check for each browser you have installed on your system. 

Solution
Adobe recommends all users of Adobe Flash Player 9.0.48.0 and earlier 
versions upgrade to the newest version 9.0.115.0 (Win, Mac, Linux), by 
downloading it from the Player Download Center, or by using the 
auto-update mechanism within the product when prompted.

Adobe will be providing an update to Adobe Flash Player 9.0.47.0 for 
Solaris at a later date. Customers can download and install the Flash 
Player public beta, which addresses these vulnerabilities, from the 
Adobe Labs site in the meantime.

For customers who cannot upgrade to Adobe Flash Player 9, Adobe has 
developed a patched version of Flash Player 7. Please refer to the Flash 
Player update TechNote.

Severity rating
Adobe categorizes this as a critical update and recommends affected users 
upgrade to version 9.0.115.0 (Win, Mac, Linux).

Details
Multiple input validation errors have been identified in Flash Player 
9.0.48.0 and earlier versions that could lead to the potential execution 
of arbitrary code. These vulnerabilities could be accessed through content 
delivered from a remote location via the user’s web browser, email client, 
or other applications that include or reference the Flash Player. 
(CVE-2007- 4768, CVE-2007-6242)

This update introduces functionality to mitigate a potential issue could 
potentially aid an attacker in executing a DNS rebinding attack. For more 
information, see the following Adobe Developer Center article. 
(CVE-2007-5275)

This update introduces a new, stricter method for Flash Player to 
interpret cross-domain policy files. These changes could help prevent 
privilege escalation attacks against web servers hosting Flash content 
and cross-domain policy files. For more information, see the following 
Adobe Developer Center article. (CVE-2007- 6243)

This update restricts the unsupported asfunction: protocol to address 
potential cross-site scripting issues with some SWF files. This issue is 
specific to Flash Player 8 and Flash Player 9 and does not affect Flash 
Player 7. (CVE-2007-6244)

This update makes changes to the navigateToURL function to prevent 
potential Universal Cross-Site Scripting attacks. This issue is specific 
to the Flash Player ActiveX Control and the Internet Explorer Browser. 
(CVE-2007-6244)

This update resolves an issue that could allow remote attackers to modify 
HTTP headers of client requests and conduct HTTP Request Splitting attacks. 
(CVE-2007-6245)

This update introduces functionality to mitigate a potential port-scanning 
issue. For more information, see the following Knowledgebase Article. 
(CVE-2007-4324)

The Linux update for Flash Player addresses a memory permissions issue 
that could lead to privilege escalation. (CVE-2007-6246)

The Mac update for Flash Player addresses the issue with Flash Player 
originally reported by Opera and described in Security Advisory APSA07-05. 
(CVE-2007-5476)

Affected software  Recommended player update  Availability  
Flash Player 9.0.48.0 and earlier 9.0.115.0 Player Download Center 
Flash Player 9.0.48.0 and earlier - network distribution 9.0.115.0 Player 
  Licensing 
Flash CS3 Professional 9.0.115.0 Flash Player 9 Update for Flash CS3 
  Professional  
Flash Player 9.0.48.0 and earlier for Linux 9.0.115.0 Player Download 
  Center 
Flex 2.0 9.0.115.0 Flash Debug Player Updater 

Important Notice regarding Flash Player 7 Support
With this security bulletin, Adobe is retiring support of Adobe Flash 
Player 7 and will no longer provide security updates for Flash Player 7 
after this release. Adobe’s support policy for Adobe Flash Player is to 
support the current and previous major release. Flash Player 7 was 
previously updated with security fixes as a courtesy to customers on 
Microsoft Windows 95, Microsoft Windows /NT and Macintosh Classic 
operating systems, which were longer supported with the Flash Player 8 
release in September 2005, and to Linux and Solaris customers prior to 
the availability of Flash Player 9. Users who wish to continue to use 
Adobe Flash Player 7, can find archived installers in the Archived Flash 
Player Technote.

Acknowledgments
Adobe would like to thank Tavis Ormandy and Will Drewry of the Google 
Security Team  for reporting input validation errors and for working 
with us to help protect our mutual customers’ security. (CVE-2007- 4768) 

Adobe would like to thank Aaron Portnoy of TippingPoint DVLabs for 
reporting an input validation error and for working with us to help 
protect our mutual customers’ security. (CVE-2007-6242)

Adobe would like to thank Dan Boneh, Adam Barth, Andrew Bortz, Collin 
Jackson, and Weidong Shao of Stanford University for reporting the 
DNS rebinding issue and for working with us to help protect our 
customers’ security. (CVE-2007-5275)

Adobe would like to thank Toshiharu Sugiyama of UBsecure, Inc. and 
JPCERT/CC for reporting the cross-domain policy file issue and the 
HTTP header issue and for working with us to help protect our mutual 
customers’ security. (CVE-2007- 6243, CVE-2007- 6245)

Adobe would like to thank Rich Cannings of the Google Security Team 
for reporting the asfunction: issue and for working with us to help 
protect our mutual customers’ security. (CVE-2007- 6244)

Adobe would like to thank Collin Jackson and Adam Barth of Stanford 
University for reporting the navigateToURL issue and for working with 
us to help protect our customers’ security. (CVE-2007- 6244)

Adobe would like to thank Jesse Michael and Thomas Biege of SUSE for 
reporting the privilege escalation issues with the Linux version of 
Flash Player and for working with us to help protect our customers' 
security. (CVE-2007-6246)

Adobe would like to thank Opera for reporting the issue with the Mac 
version of Flash Player and for working with us to help protect our 
mutual customers' security. (CVE-2007-5476)



[***** End Adobe Security Advisory: APSB07-20 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Adobe for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

S-082: Linux-2.6 Vulnerabilities
S-083: Sitebar Vulnerabilities
S-084: Ruby-Gnome2 Vulnerability
S-085: e2fsprogs
S-086: qt-x11-free Vulnerabilities
S-087: centericq Vulnerability
S-088: HP Quick Launch Button (QLB) Running on Windows Vulnerability
S-089: Prolog Manager Vulnerability
S-090: Apple Security Update 2007-009
S-091: MySQL Security Update