---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Adobe Flash Player Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26027 VERIFY ADVISORY: http://secunia.com/advisories/26027/ CRITICAL: Highly critical IMPACT: Exposure of sensitive information, System access WHERE: >From remote REVISION: 2.0 originally posted 2007-07-11 SOFTWARE: Macromedia Flash Player 8.x http://secunia.com/product/6153/ Macromedia Flash Player 7.x http://secunia.com/product/2634/ Adobe Flash Player 9.x http://secunia.com/product/11901/ Adobe Flash CS3 http://secunia.com/product/14231/ Macromedia Flash 8.x http://secunia.com/product/7024/ Adobe Flex 2.x http://secunia.com/product/14760/ DESCRIPTION: Some vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system. 1) An input validation error can be exploited to execute arbitrary code when a user e.g. visits a malicious website. The vulnerability affects versions 9.0.45.0 and prior. 2) An error within the interaction of Flash Player and certain browsers can be exploited to leak key presses to a Flash Player applet. The vulnerability affects versions 7.0.69.0 and prior on Linux and Solaris. It does not affect Flash Player 9. A bug has also been reported in the validation of the HTTP Referer in versions 8.0.34.0 and prior, which may aid in e.g. CSRF (Cross-Site Request Forgery) attacks. SOLUTION: Apply updates. Flash Player 9.0.45.0 and earlier (update to version 9.0.47.0): http://www.adobe.com/go/getflash Flash Player 9.0.45.0 and earlier - network distribution (update to version 9.0.47.0): http://www.adobe.com/licensing/distribution Flash CS3 Professional (update to version 9.0.47.0): http://www.adobe.com/support/flashplayer/downloads.html Flash Professional 8, Flash Basic (update to version 8.0.35.0): http://www.adobe.com/support/flashplayer/downloads.html Flex 2.0 (update to version 9.0.47.0): http://www.stage.adobe.com/support/flashplayer/downloads.html#fp9 Flash Player version 7.0.70.0 for Linux and Solaris reportedly fixes vulnerability #2 for Opera and Konqueror browsers. PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Stefano DiPaola, Elia Florio, and Giorgio Fedon. 2) The vendor credits Mark Hills. CHANGELOG: 2007-07-11: Updated "Solution" section and added additional affected products. ORIGINAL ADVISORY: Adobe: http://www.adobe.com/support/security/bulletins/apsb07-12.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------