[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CSIRTUK ADVISORY - 3530 - Adobe - Flash Player update available to address security vulnerabilities

To: "CSIRTUK" <CSIRTUK@xxxxxxxxxxxxxxx>
Subject: CSIRTUK ADVISORY - 3530 - Adobe - Flash Player update available to address security vulnerabilities
From: "CSIRTUK" <CSIRTUK@xxxxxxxxxxxxxxx>
Date: Wed, 2 Jan 2008 14:34:02 -0000
Cc: <interim@xxxxxxxxxxxxxxxxxxxx>
Delivered-to: mailing list interim@xxxxxxxxxxxxxxxxxxxx
Delivered-to: moderator for interim@xxxxxxxxxxxxxxxxxxxx
List-help: <mailto:interim-help@lists.csirtuk.gov.uk>
List-post: <mailto:interim@lists.csirtuk.gov.uk>
List-subscribe: <mailto:interim-subscribe@lists.csirtuk.gov.uk>
List-unsubscribe: <mailto:interim-unsubscribe@lists.csirtuk.gov.uk>
Mailing-list: contact interim-help@xxxxxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: "CSIRTUK" <CSIRTUK@xxxxxxxxxxxxxxx>
Thread-index: AchNTIIfBuzateclRBiXWKq+xf2Rxw==
Thread-topic: CSIRTUK ADVISORY - 3530 - Adobe - Flash Player update available to address security vulnerabilities

________________________________________________________________________


CSIRTUK ADVISORY - 3530 dated 02.01.08 time 14:32

Centre for the Protection of National Infrastructure (CPNI)

________________________________________________________________________

 Further details about CPNI, including information about our products
can be
 found at www.cpni.gov.uk

 Please note that CSIRTUK RSS Feeds are available from:
 http://www.cpni.gov.uk/rss/advisories.xml
________________________________________________________________________

Title
=====
3530 - Adobe Flash Player update available to address security
vulnerabilities

Detail
======
ID: 3530
Date: 02/01/2008

------------------------------------------------------------------------
--------
Title: 3530 - Adobe Flash Player update available to address security
vulnerabilities
Platform level affected:Net Application - Client
Specific operating systems components affected: 32-bit Windows
Net-enabled software: Other
Other software: Other
Remediation Summary:Update your copy of the software with the download
available from the supplier.
Vendors affected:Adobe
Applications affected:Flash Player
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Imminent
Potential Damage: Remote execution/modification
Possible Duration: Open Ended
Availability of fix: Available
Type of fix: Patch
Source: Adobe
Reliability of source: Trusted
Source URL:
http://www.adobe.com/support/security/bulletins/apsb07-20.html
CVE: CVE-2007-6242, CVE-2007- 4768, CVE-2007-5275, CVE-2007- 6243,
CVE-2007- 6244, CVE-2007- 6245, CVE-2007-4324, CVE-2007- 6246,
CVE-2007-5476
Abstract: Descritpion of critical vulnerabilities that have been
identified in Adobe Flash Player.

Flash Player update available to address security vulnerabilities

Release date: December 18, 2007

Vulnerability identifier: APSB07-20

CVE number: CVE-2007-6242, CVE-2007- 4768, CVE-2007-5275, CVE-2007-
6243, CVE-2007- 6244, CVE-2007- 6245, CVE-2007-4324, CVE-2007- 6246,
CVE-2007-5476

Platform: All platforms

Affected software versions: Adobe Flash Player 9.0.48.0 and earlier,
8.0.35.0 and earlier, and 7.0.70.0 and earlier.

Summary
Critical vulnerabilities have been identified in Adobe Flash Player that
could allow an attacker who successfully exploits these potential
vulnerabilities to take control of the affected system. A malicious SWF
must be loaded in Flash Player by the user for an attacker to exploit
these potential vulnerabilities. Users are recommended to update to the
most current version of Flash Player available for their platform.

Further detail from
http://www.adobe.com/support/security/bulletins/apsb07-20.html

Affected software versions
Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and
7.0.70.0 and earlier. 

To verify the Adobe Flash Player version number, access the About Flash
Player page, or right-click on Flash content and select "About Adobe (or
Macromedia) Flash Player" from the menu. If you use multiple browsers,
perform the check for each browser you have installed on your system. 

Solution
Adobe recommends all users of Adobe Flash Player 9.0.48.0 and earlier
versions upgrade to the newest version 9.0.115.0 (Win, Mac, Linux), by
downloading it from the Player Download Center, or by using the
auto-update mechanism within the product when prompted.

Adobe will be providing an update to Adobe Flash Player 9.0.47.0 for
Solaris at a later date. Customers can download and install the Flash
Player public beta, which addresses these vulnerabilities, from the
Adobe Labs site in the meantime.

For customers who cannot upgrade to Adobe Flash Player 9, Adobe has
developed a patched version of Flash Player 7. Please refer to the Flash
Player update TechNote.

Severity rating
Adobe categorizes this as a critical update and recommends affected
users upgrade to version 9.0.115.0 (Win, Mac, Linux).

________________________________________________________________________

CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to
you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.

________________________________________________________________________

CSIRTUK wishes to acknowledge the contributions of Adobe for the
information
contained in this advisory.
________________________________________________________________________

This advisory contains information released by the original author. Some
of the
information may have changed since it was released. If the issue affects
you,
it may be prudent to retrieve the advisory from the site of the original
source to ensure that you receive the most current information
concerning that
problem.

Reference to any specific commercial product, process, or service by
trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its
endorsement, recommendation, or favouring by CPNI. The views and
opinions of
authors expressed within this notice shall not be used for advertising
or
product endorsement purposes.

CPNI shall not accept responsibility for any errors or omissions
contained
within this advisory. In particular, they shall not be liable for any
loss or
damage whatsoever, arising from or in connection with the usage of
information
contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams
(FIRST)
and has contacts with other international Incident Response Teams (IRTs)
in
order to foster cooperation and coordination in incident prevention, to
prompt
rapid reaction to incidents, and to promote information sharing amongst
its
members and the community at large.
________________________________________________________________________

<End of CPNI Advisory>


The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless in partnership with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

Next by Date: CSIRTUK ADVISORY - 3534 - Microsoft - Security Bulletin Advance Notification for January 2008
Next by thread: CSIRTUK ADVISORY - 3534 - Microsoft - Security Bulletin Advance Notification for January 2008
Index(es):
- Date
- Thread