Adobe Flash Player - Múltiplas Vulnerabilidades

Categoria: Alertas

quinta, 12 julho 2007 16:14

Sistemas Operativos Implicados:	Windows XP/NT/2K/Me/98/95
Aplicações Implicadas:	Indefinido

Foram reportadas múltiplas vulnerabilidades no Adobe Flash Player, que podem ser exploradas por actos maliciosos para obtenção de informação sensível ou comprometimento de um sistema afectado.

I. Descrição

Some vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to gain knowledge of sensitive information or compromise a user"s system.

1) An input validation error can be exploited to execute arbitrary code when a user e.g. visits a malicious website.

The vulnerability affects versions 9.0.45.0 and prior.

2) An error within the interaction of Flash Player and certain browsers can be exploited to leak key presses to a Flash Player applet.

The vulnerability affects versions 7.0.69.0 and prior on Linux and Solaris. It does not affect Flash Player 9.

A bug has also been reported in the validation of the HTTP Referer in versions 8.0.34.0 and prior, which may aid in e.g. CSRF (Cross-Site Request Forgery) attacks.

II. Solução

Apply updates.

Flash Player 9.0.45.0 and earlier (update to version 9.0.47.0):
http://www.adobe.com/go/getflash

Flash Player 9.0.45.0 and earlier - network distribution (update to version 9.0.47.0):
http://www.adobe.com/licensing/distribution

Flash CS3 Professional (update to version 9.0.47.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flash Professional 8, Flash Basic (update to version 8.0.35.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flex 2.0 (update to version 9.0.47.0):
http://www.stage.adobe.com/support/flashplayer/downloads.html#fp9

Flash Player version 7.0.70.0 for Linux and Solaris reportedly fixes vulnerability #2 for Opera and Konqueror browsers..

III. Referências

Secunia
http://secunia.com/advisories/26027/