Six Security Vulnerabilities Updated By Adobe In Flash Player 9
Adobe has released another Flash Player 9 update to cover at least six documented security vulnerabilities that could expose users to a wide range of hacker attacks.
The patch, rated “critical” by Adobe, affects Flash Player 9.0.124.0 on all platforms. The latest Flash Player vulnerabilities include:
CVE-2008-4818: This update includes a change to the way Flash Player interprets HTTP response headers to prevent a potential cross-site scripting attack.
CVE-2008-4819: This update introduces a change to mitigate a potential issue that could aid an attacker in executing a DNS rebinding attack.
CVE-2008-4823: This update introduces stricter interpretation of an ActionScipt attribute to prevent a potential HTML injection issue.
CVE-2008-4822: This update prevents an issue with policy file interpretation that could potentially lead to bypass of a non-root domain policy.
CVE-2008-4821: This update prevents an issue with the Flash Player interpretation of jar: protocol on Mozilla browsers that could potentially lead to information disclosure.
CVE-2008-4820: This update prevents a potential Windows-only information disclosure issue in the Flash Player ActiveX control.
Users can use this page to determine which version of Flash Player is installed on a system.
Separately, Adobe released Security Bulletin ASPB08-21 to resolve a potential privilege escalation issue that is particularly applicable to ColdFusion servers in a shared hosting environment:
A vulnerability in ColdFusion could allow a lower-privileged user to bypass sandbox security and access sensitive information, and could potentially lead to a privilege escalation attack. This issue is particularly applicable to ColdFusion servers in a shared hosting environment. This issue is not remotely exploitable.
Affected software versions are ColdFusion 8, ColdFusion 8.0.1 and ColdFusion MX 7.0.2 Solution.
Any version below Flash Player 9.0.151.0 will be vulnerable to these attack scenarios. Adobe is recommending that users upgrade immediately to Flash Player 10.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.