Wednesday, October 15, 2008

Adobe Flash: Critical Update

Adobe issued the following update today. Among other critical issues, the update addresses the "clickjacking" issue. (See Adobe label for recent articles: http://securitygarden.blogspot.com/search/label/Adobe)

Flash Player update available to address security vulnerabilities
Release date: October 15, 2008
Vulnerability identifier: APSB08-18
CVE number: CVE-2007-6243, CVE-2008-3873, CVE-2007-4324, CVE-2008-4401, CVE-2008-4503
Platform: All Platforms

Effected versions: Adobe Flash Player 9.0.124.0 and earlier.
  • This update addresses a potential ‘Clickjacking’ issue in Flash Player. Clickjacking is an issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. This update helps prevent a Clickjacking attack on a Flash Player user’s camera and microphone. (CVE-2008-4503)
  • This update includes further changes to enhance Flash Player’s interpretation of cross-domain policy files. These changes could help prevent privilege escalation attacks against web servers hosting Flash content and cross-domain policy files. For more information, see the following section of the “Adobe Flash Player 10 Security Changes” Adobe Developer Connection article. (CVE-2007-6243)
  • This update introduces functionality to further mitigate a potential port-scanning issue. For more information, see the following Adobe Developer Connection article. (CVE-2007-4324)
  • This update introduces changes to the Clipboard API that will prevent potential ‘Clipboard attacks’. For more information, see the following section of the "Adobe Flash Player 10 Security Changes" Adobe Developer Center article. (CVE-2008-3873)
  • This update introduces changes to the FileReference upload and download APIs to require user interaction. For more information, see the following section of the “Adobe Flash Player 10 Security Changes” Adobe Developer Connection article. (CVE-2008-4401)
Complete details in Flash Player update available to address security vulnerabilities.







Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

4 comments:

Anonymous said...

Thanks, Corrine.

You got to me even before my Secunia PSI warned me. Very impressive!

Go Bills!

-The Dean (AKA Brian)

Corrine said...

Here I thought I was slow! I saw the Flash update was posted some time after 9 AM (Eastern) but didn't have a chance to track down the Security Advisory until evening.

(This time of the year we're following college and, as always, cheering for Penn State.)

Anonymous said...

I'm a Penn State fan, too!

Let's hope Joe Pa goes out on top (if he decides to go).

Anonymous said...

Oh, that last Penn State comment was me, too, Corrine.

The Dean