Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FW: [SA28161] Adobe Flash Player Multiple Vulnerabilities
>
> TITLE:
> Adobe Flash Player Multiple Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA28161
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/28161/
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> Unknown, Security Bypass, Cross Site Scripting, Manipulation of data,
> Exposure of sensitive information, Privilege escalation, DoS, System
> access
>
> WHERE:
> From remote
>
> SOFTWARE:
> Adobe Flash Player 9.x
> http://secunia.com/product/11901/
> Adobe Flash CS3
> http://secunia.com/product/14231/
> Adobe Flex 2.x
> http://secunia.com/product/14760/
> Macromedia Flash 8.x
> http://secunia.com/product/7024/
> Macromedia Flash Player 7.x
> http://secunia.com/product/2634/
> Macromedia Flash Player 8.x
> http://secunia.com/product/6153/
>
> DESCRIPTION:
> Some vulnerabilities have been reported in Adobe Flash Player, where
> one vulnerability has an unknown impact and others can be exploited
> by malicious, local users to gain escalated privileges and by
> malicious people to bypass certain security restrictions, conduct
> cross-site scripting and HTTP request splitting attacks, disclose
> sensitive information, cause a Denial of Service (DoS), or to
> potentially compromise a user's system.
>
> 1) An error when parsing specially crafted regular expressions can be
> exploited to cause a heap-based buffer overflow.
>
> For more information see vulnerability #7 in:
> SA27543
>
> 2) An unspecified error in the parsing of SWF files can potentially
> be exploited to execute arbitrary code.
>
> 3) An error exists when pinning a hostname to an IP address. This can
> be exploited to conduct DNS rebinding attacks via allow-access-from
> elements in cross-domain-policy XML documents.
>
> 4) An error exists in the enforcing of cross-domain policy files.
> This can be exploited to bypass certain security restrictions on web
> servers hosting cross-domain policy files.
>
> 5) Input passed to unspecified parameters when handling the
> "asfunction:" protocol is not properly sanitised before being
> returned to the user. This can be exploited to inject arbitrary HTML
> and script code in a user's browser session in context of an affected
> site.
>
> The vulnerability does not affect Flash Player 7.
>
> 6) Input passed to unspecified parameters when calling the
> "navigateToURL" function is not properly sanitised before being
> returned to the user. This can be exploited to inject arbitrary HTML
> and script code in a user's browser session in context of an affected
> site.
>
> The vulnerability only affects the Flash Player ActiveX Control for
> Internet Explorer.
>
> 7) An unspecified error can be exploited to modify HTTP headers and
> conduct HTTP request splitting attacks.
>
> 8) An error within the implementation of the Socket or XMLSocket
> ActionScript classes can be exploited to determine if a port on a
> remote host is opened or closed.
>
> 9) An error within the setting of memory permissions in Adobe Flash
> Player for Linux can be exploited by malicious, local users to gain
> escalated privileges.
>
> 10) An unspecified error exists in Adobe Flash Player and Opera on
> Mac OS X.
>
> For more information see vulnerability #3 in:
> SA27277
>
> The vulnerabilities are reported in versions prior to 9.0.115.0.
>
> SOLUTION:
> Update to version 9.0.115.0.
>
> Flash Player 9.0.48.0 and earlier for Windows, Mac, and Linux:
> http://www.stage.adobe.com/go/getflash
>
> Flash Player 9.0.48.0 and earlier - network distribution:
> http://www.stage.adobe.com/licensing/distribution
>
> Flash CS3 Professional:
> http://www.adobe.com/support/flash/downloads.html
>
> Flex 2.0:
> http://www.stage.adobe.com/support/flashplayer/downloads.html#fp9
>
> NOTE: This is reportedly the final security bulletin that Adobe will
> supply for users of Adobe Flash Player 7 (formerly Macromedia Flash
> Player 7).
>
> PROVIDED AND/OR DISCOVERED BY:
> 1) The vendor credits Tavis Ormandy and Will Drewry of the Google
> Security Team.
> 2) The vendor credits Aaron Portnoy of TippingPoint DVLabs.
> 3) The vendor credits Dan Boneh, Adam Barth, Andrew Bortz, Collin
> Jackson, and Weidong Shao of Stanford University.
> 4, 7) The vendor credits Toshiharu Sugiyama of UBsecure, Inc. and
> JPCERT/CC.
> 5) The vendor credits Rich Cannings of the Google Security Team.
> 6) The vendor credits Collin Jackson and Adam Barth of Stanford
> University.
> 9) The vendor credits Jesse Michael and Thomas Biege of SUSE.
> 10) The vendor credits Opera.
>
> ORIGINAL ADVISORY:
> http://www.adobe.com/support/security/bulletins/apsb07-20.html
>
> OTHER REFERENCES:
> SA27543:
> http://secunia.com/advisories/27543/
>
> SA27277:
> http://secunia.com/advisories/27277/
>
> ----------------------------------------------------------------------
|
