FYI...

- http://www.securityfocus.com/news/11511
2008-03-28 - "Warnings about the insecurity of online Flash multimedia created with all but the most recent authoring tools have largely fallen upon deaf ears.. While software makers have taken steps to close the security holes, Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals... Using a specially-crafted Web address, an attacker could use a vulnerable Flash file on a major Web site to gain access to the user's account on that site, once the victim logs in. A bad Flash file on a banking site, for example, could put that bank's customers at risk, allowing an attacker the ability to access the victims' funds... until Web site developers rebuild their Flash multimedia with the latest authoring tools, the older files still present on their company's Web sites could be used by fraudsters to attack the site's users... Adobe estimates that 98 percent of Web users have the Adobe Flash Player installed. Flash is widely used to create the advertisements hosted on most Web sites. Because the advertisements are generally provided by third-party services, using the affiliate networks to send out malicious Flash advertisements has become a serious vector of attack..."
* http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html
"Adobe is planning to release a security update for Flash Player 9 in April 2008 to strengthen the security of Adobe Flash Player for our customers and end users... This security update will make the optional socket policy file changes introduced in Flash Player 9,0,115,0 mandatory..."

:fear::spider:

FYI...

Flash Player version 9.0.124.0 released
- http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash

APSB08-11 Flash Player update available to address security vulnerabilities
- http://www.adobe.com/support/security/bulletins/apsb08-11.html
04/08/2008 - "Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. It is recommended users update to the most current version of Flash Player available for their operating system...
Affected software versions:
Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier..."
Severity rating:
Adobe categorizes this as a -critical- update and recommends affected users upgrade to version 9.0.124.0..."
Installation instructions:
- http://www.adobe.com/products/flashplayer/productinfo/instructions/
Test:
- http://www.adobe.com/products/flash/about/

- http://secunia.com/advisories/28083/
Release Date: 2008-04-09
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Flash Player 9.x ...
...The vulnerabilities are reported in versions prior to 9.0.124.0...

CVE reference:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5275

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6019
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6243
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6637

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1655 ...

:fear:

FYI...

- http://blogs.zdnet.com/security/?p=1236
June 3, 2008 - "...Google Analytics has a nifty feature where it will give you information on your visitor’s browser capabilities, including the version of Flash installed down to the revision level... the statistics confirmed the low percentage of up-to-date Flash players.
Date % up-to-date
5/26 15.28
5/27 15.93
5/28 16.50
5/29 17.51
Remember, this is still 7 weeks after the update was released... After roughly 2 months, less than 20% of users had applied an update that addresses a critical remote code execution vulnerability... How does the average user know that they should update Flash and how to do so? By reading the trade press? Microsoft learned that you have to harass the user into patching their operating system and even then, it should be as automatic as possible. As Flash currently enjoys an essentially universal market share, now is the time to make significant security improvements without having to repeat the lessons that others have had to so painfully learn..."

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527
May 27, 2008

:fear::spider::fear:

FYI...

- http://www.adobe.com/support/security/advisories/apsa08-08.html
Release date: October 7, 2008
Vulnerability identifier: APSA08-08
Platform: All Platforms
Affected Software: Adobe Flash Player 9.0.124.0 and earlier
...To prevent this potential issue, customers can change their Flash Player settings as follows:
1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
2. Select the "Always deny" button.
3. Select ‘Confirm’ in the resulting dialog.
4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and/or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html ...
---

- http://blogs.adobe.com/psirt/2008/10/clickjacking_security_advisory.html
October 7, 2008

- http://secunia.com/advisories/32163
Release Date: 2008-10-08

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4503
Last revised: 10/11/2008

//

FYI...

Adobe Flash Player v10.0.12.36 released
- http://www.adobe.com/go/getflashplayer
October 15, 2008

Understanding the security changes in Flash Player 10
- http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes_print.html
Modified: 15 October 2008

Flash Player installation instructions
- http://www.adobe.com/products/flashplayer/productinfo/instructions/
...Installation instructions for Windows Internet Explorer... "may require administrative access to your PC..."
...Installation instructions for Windows non-Internet Explorer... "may require administrative access to your PC..."

Flash Player update available to address security vulnerabilities
- http://www.adobe.com/support/security/bulletins/apsb08-18.html
Release date: October 15, 2008 ...
CVE number: CVE-2007-6243, CVE-2008-3873, CVE-2007-4324, CVE-2008-4401, CVE-2008-4503
Platform: All Platforms
Summary: Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform...
Affected software versions: Adobe Flash Player 9.0.124.0 and earlier...

- http://www.us-cert.gov/current/archive/2008/10/16/archive.html#adobe_releases_security_bulletin_for
October 16, 2008

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4324
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6243
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3873
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4401
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4503

Test your current install: http://www.adobe.com/products/flash/about/

:fear::spider:

FYI...

Flash Player multiple vulns - updates available
- http://www.adobe.com/support/security/bulletins/apsb08-20.html
Release date: November 5, 2008
Vulnerability identifier: APSB08-20
CVE number: CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823 ...
Platform: All Platforms
Summary: Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. No action is required by customers who have already updated to Flash Player 10.0.12.36. The Flash Player 9.0.151.0 update addresses the issues previously reported in Security Bulletin APSB08-18 in addition to the issues outlined in this Security Bulletin.
Affected software versions: Adobe Flash Player 9.0.124.0 and earlier.
To verify the Adobe Flash Player version number, access the About Flash Player page* ...
* http://www.adobe.com/products/flash/about/
Solution: Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to the newest version 10.0.12.36 by downloading it from the Player Download Center**, or by using the auto-update mechanism within the product when prompted.
** http://www.adobe.com/go/getflashplayer
For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.151.0, which can be downloaded from the following link***.
*** http://www.adobe.com/go/kb406791
Severity rating: Adobe categorizes this as a critical update due to the issues previously outlined in Security Bulletin APSB08-18 and recommends affected users upgrade to version 10.0.12.36...

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4818
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4819
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4820
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4821
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4822
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4823

:fear:

FYI...

Additional disclosure of security vulnerabilities fixed in Flash Player 10.0.12.36 and Flash Player 9.0.151.0
- http://www.adobe.com/support/security/bulletins/apsb08-22.html
Release date: November 17, 2008
Vulnerability identifier: APSB08-22
CVE number: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4824
Platform: All Platforms

:fear:

FYI...

Security update available for -Linux- Flash Player 10.0.12.36 and Linux Flash Player 9.0.151.0
- http://www.adobe.com/support/security/bulletins/apsb08-24.html
Release date: December 17, 2008
Vulnerability identifier: APSB08-24
CVE number: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5499
Platform: Linux ...
Adobe recommends all users of Flash Player for Linux 10.0.12.36 and Flash Player for Linux 9.0.151.0 and earlier versions upgrade to the newest version 10.0.15.3 by downloading it from the Player Download Center*, or by using the auto-update mechanism within the product when prompted.
* http://get.adobe.com/flashplayer
For users who cannot update to Flash Player for Linux 10.0.15.3, Adobe has developed a patched version, Flash Player for Linux 9.0.152.0**, which can be downloaded from the following link...
http://www.adobe.com/go/kb406791
Adobe categorizes this as a -critical- update and recommends affected users upgrade to version 10.0.15.3...

SUSE update for flash-player
- http://secunia.com/advisories/33294/
Release Date: 2008-12-22
Critical: Highly critical
Impact: System access
Where: From remote...
Original Advisory: SUSE-SA:2008:059:
http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00006.html

Red Hat update for flash-plugin
- http://secunia.com/advisories/33267/
Release Date: 2008-12-22
Critical: Highly critical
Impact: System access
Where: From remote...
Solution Status: Vendor Patch
Original Advisory:
https://rhn.redhat.com/errata/RHSA-2008-1047.html ...

:fear:

FYI...

Flash Player v10.0.22.87 released
- http://www.adobe.com/support/security/bulletins/apsb09-01.html
Release date: February 24, 2009
Vulnerability identifier: APSB09-01
CVE number: CVE-2009-0519, CVE-2009-0520, CVE-2009-0522, CVE-2009-0114, CVE-2009-0521
Platform: All Platforms...
Adobe categorizes this as a critical update and recommends affected users upgrade to version 10.0.22.87*...
* http://www.adobe.com/go/getflash -or- http://get.adobe.com/flashplayer/otherversions/
For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.159.0, which can be downloaded from the following link**...
** http://www.adobe.com/go/kb406791

Version test for Adobe Flash Player
- http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_15507

:fear::fear:

FYI...

- http://blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html
July 21, 2009 - "Adobe is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information."

> http://isc.sans.org/diary.html?storyid=6847
Last Updated: 2009-07-22 22:26:39 UTC ...(Version: 3) - "... the vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat. This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well. And indeed, when tested with Internet Explorer and the latest Flash player (version 10), the exploit silently drops a Trojan and works "as advertised". Another interesting thing I noticed is that the Trojan, which is downloaded in the second stage, is partially XOR-ed – the attackers probably did this to evade IDSes or AV programs scanning HTTP traffic. At the moment, the detection for both the exploit and the Trojan is pretty bad (only 7/41 for the Trojan, according to VirusTotal*)...
UPDATE: At the moment there is a low number of malicious sites serving the exploit, but we confirmed that the links have been injected in legitimate web sites to create a drive-by attack, as expected. It appears that the attackers created two different shellcodes as well, one for Firefox users (still have to confirm this) and the other for Internet Explorer users (this one is -confirmed- to work)."
* http://preview.tinyurl.com/l3wg89
File 34d6452000e1a9e0308702d082c897008a0481b0.EXE received on 2009.07.22 16:49:07 (UTC)
Result: 7/41 (17.07%)

- http://www.us-cert.gov/current/#adobe_reader_acrobat_and_flash

- http://www.kb.cert.org/vuls/id/259425
2009-07-22

- http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx
June 12, 2009
> FixIt4Me - Enable DEP for Office
> FixIt4Me - Enable DEP for IE

- http://www.theregister.co.uk/2009/07/22/adobe_flash_attacks_go_wild/
22 July 2009

Update on Adobe Reader, Acrobat and Flash Player Issue
- http://blogs.adobe.com/psirt/2009/07/update_on_adobe_reader_acrobat.html
July 22, 2009 7:08 PM

:fear::fear:

FYI...

- http://www.adobe.com/support/security/advisories/apsa09-03.html
July 22, 2009 - "... We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows and Macintosh by July 31, 2009..."

- http://securitylabs.websense.com/content/Alerts/3449.aspx
07.23.2009

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1862
Last revised: 07/24/2009
CVSS v2 Base Score: 9.3 (HIGH)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2580
Last revised: 07/24/2009
CVSS v2 Base Score: 9.3 (HIGH)

- http://www.securityfocus.com/bid/35759/info
Updated: Jul 23 2009

- http://bugs.adobe.com/jira/browse/FP-1265
Created: 12/31/08

- http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-072209-2512-99&tabid=2
Discovered: July 22, 2009 - "...The Trojan arrives in a specially crafted .pdf file that exploits a vulnerability in Adobe Flash Player. When executed the Trojan drops the following files on the compromised computer:
* %Temp%\SUCHOST.EXE (Trojan Horse)
* %Temp%\TEMP.EXE (A non-malicious file.)
Note: The SUCHOST.EXE file may open a back door that connects to the following domains:
* http ://aop1.homelinux .com
* http ://connectproxy.3322 .org
* http ://csport.2288 .org ..." [DO NOT VISIT]

:eek:

FYI...

- http://www.adobe.com/support/security/advisories/apsa09-04.html
July 28, 2009 - "Adobe Flash Player 9.0.159.0 and 10.0.22.87, and earlier 9.x and 10.x versions installed on Windows operating systems for use with Internet Explorer leverage a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882). This critical vulnerability could allow an attacker who successfully exploits the vulnerability to take control of the affected system.

Note that this vulnerability is exclusive to Internet Explorer on Windows. Installations of Flash Player for Firefox or other web browsers on Windows are -not- vulnerable. We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows by July 30, 2009.

Users should consider installing MS09-034*. As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Flash Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035**..."

* http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx

** http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx

- http://secunia.com/advisories/35948/2/
Solution Status: Unpatched
Software: Adobe Flash Player 10.x, Adobe Flash Player 9.x ...
Changelog: 2009-07-29: Added information about control having been built using a vulnerable version of ATL.

:fear:

FYI...

Flash Player v10.0.32.18 released
- http://get.adobe.com/flashplayer/
July 30, 2009 - Browser: Firefox, Safari, Opera
install_flash_player.exe

- http://get.adobe.com/flashplayer/otherversions/
July 30, 2009 - Internet Explorer
install_flash_player_ax.exe

Adobe Flash Player
- http://www.adobe.com/support/security/bulletins/apsb09-10.html
Release date: July 30, 2009
CVE number: CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870
"... Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18. Adobe recommends users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2*... Adobe categorizes these as critical issues and recommends affected users patch their installations..."
* http://get.adobe.com/air/
Adobe AIR 1.5.2 Installer - Windows , English | 15.1 MB
___

- http://www.adobe.com/support/security/bulletins/apsb09-10.html
Revisions:
July 31, 2009 - Bulletin updated with Adobe Reader and Acrobat updates, and correct Adobe Flash Player 9 download link.
... http://www.adobe.com/support/flashplayer/downloads.html#fp9
___

- http://www.adobe.com/support/security/bulletins/apsb09-10.html
Last revised: August 3, 2009 - "... Adobe recommends all users of Adobe Flash Player... upgrade to the newest version 10.0.32.18..."

- http://secunia.com/advisories/35948/2/
Last Update: 2009-08-10
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe AIR 1.x, Adobe Flash Player 10.x, Adobe Flash Player 9.x ...
Solution: Update to Flash Player 9.0.246.0 or 10.0.32.18 and Adobe AIR version 1.5.2.
Flash Player version 10.0.32.18: http://www.adobe.com/go/getflashplayer ...
Adobe AIR version 1.5.2. http://get.adobe.com/air ...

- http://www.adobe.com/support/security/bulletins/apsb09-11.html
Release date: July 28, 2009 - "... Adobe recommends Shockwave Player users on Windows install Shockwave version 11.5.1.601, available here: http://get.adobe.com/shockwave/ ..."

- http://secunia.com/advisories/36049/2/
Release Date: 2009-07-29
Critical: Highly critical ...
Solution: Update to version 11.5.1.601.
http://get.adobe.com/shockwave/

Test both here: http://www.adobe.com/shockwave/welcome/

FYI...

Sun Solaris Adobe Flash Player Multiple vuln - update available
- http://secunia.com/advisories/36518/2/
Release Date: 2009-09-03
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
OS: Sun Solaris 10
Solution: Apply patches.
-- SPARC Platform --
Solaris 10: Apply patch 125332-07 or later.
OpenSolaris: Fixed in builds snv_121 and later.
-- x86 Platform --
Solaris 10: Apply patch 125333-07 or later.
OpenSolaris: Fixed in builds snv_121 and later.
Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1
"... issues can occur in Adobe Flash Player 9.0.159.0 and earlier 9.x versions and 10.0.22.87 and earlier 10.x versions..."

:fear: