Copyright © 2008 Adobe Systems Incorporated. All rights reserved.
Use of this website signifies your agreement to the Terms of Use and Online Privacy Policy (updated 07-08-2008).
Search powered by Google™
Release date: November 5, 2008
Vulnerability identifier: APSB08-20
CVE number: CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823
Platform: All Platforms
Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. No action is required by customers who have already updated to Flash Player 10.0.12.36. The Flash Player 9.0.151.0 update addresses the issues previously reported in Security Bulletin APSB08-18 in addition to the issues outlined in this Security Bulletin.
Adobe Flash Player 9.0.124.0 and earlier.
To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to the newest version 10.0.12.36 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.
For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.151.0, which can be downloaded from the following link.
Adobe categorizes this as a critical update due to the issues previously outlined in Security Bulletin APSB08-18 and recommends affected users upgrade to version 10.0.12.36.
In addition to the issues previously reported in Security Bulletin APSB08-18, the Flash Player 10.0.12.36 and Flash Player 9.0.151.0 updates address the issues outlined below.
This update includes a change to the way Flash Player interprets HTTP response headers to prevent a potential cross-site scripting attack. (CVE-2008-4818)
This update introduces a change to mitigate a potential issue that could aid an attacker in executing a DNS rebinding attack. (CVE-2008-4819)
This update introduces stricter interpretation of an ActionScipt attribute to prevent a potential HTML injection issue. (CVE-2008-4823)
This update prevents an issue with policy file interpretation that could potentially lead to bypass of a non-root domain policy. (CVE-2008-4822)
This update prevents an issue with the Flash Player interpretation of jar: protocol on Mozilla browsers that could potentially lead to information disclosure. (CVE-2008-4821)
This update prevents a potential Windows-only information disclosure issue in the Flash Player ActiveX control. (CVE-2008-4820)
Affected software |
Recommended player update |
Availability |
Flash Player 9.0.124.0 and earlier |
10.0.12.36 |
|
Flash Player 9.0.124.0 and earlier - network distribution |
10.0.12.36 |
|
Flash Player 9.0.124.0 and earlier for Linux |
10.0.12.36 |
|
Flash CS4 Professional |
10.0.12.36 |
|
Flex 3 |
10.0.12.36 |
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers' security:
Copyright © 2008 Adobe Systems Incorporated. All rights reserved.
Use of this website signifies your agreement to the Terms of Use and Online Privacy Policy (updated 07-08-2008).
Search powered by Google™