GLSA-200903-23 : Adobe Flash Player: Multiple vulnerabilities

This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200903-23
(Adobe Flash Player: Multiple vulnerabilities)

Multiple vulnerabilities have been discovered in Adobe Flash Player:
The access scope of SystemsetClipboard() allows ActionScript
programs to execute the method without user interaction
(CVE-2008-3873).
The access scope of FileReference.browse() and
FileReference.download() allows ActionScript programs to execute the
methods without user interaction (CVE-2008-4401).
The Settings Manager controls can be disguised as normal graphical
elements. This so-called 'clickjacking' vulnerability was disclosed by
Robert Hansen of SecTheory, Jeremiah Grossman of WhiteHat Security,
Eduardo Vela, Matthew Mastracci of DotSpots, and Liu Die Yu of
TopsecTianRongXin (CVE-2008-4503).
Adan Barth (UC Berkely) and Collin Jackson (Stanford University)
discovered a flaw occurring when interpreting HTTP response headers
(CVE-2008-4818).
Nathan McFeters and Rob Carter of Ernst and Young's Advanced
Security Center are credited for finding an unspecified vulnerability
facilitating DNS rebinding attacks (CVE-2008-4819).
When used in a Mozilla browser, Adobe Flash Player does not
properly interpret jar: URLs, according to a report by Gregory
Fleischer of pseudo-flaw.net (CVE-2008-4821).
Alex 'kuza55' K. reported that Adobe Flash Player does not properly
interpret policy files (CVE-2008-4822).
The vendor credits Stefano Di Paola of Minded Security for
reporting that an ActionScript attribute is not interpreted properly
(CVE-2008-4823).
Riley Hassell and Josh Zelonis of iSEC Partners reported multiple
input validation errors (CVE-2008-4824).
The aforementioned researchers also reported that ActionScript 2
does not verify a member element's size when performing several known
and other unspecified actions, that DefineConstantPool accepts an
untrusted input value for a 'constant count' and that character
elements are not validated when retrieved from a data structure,
possibly resulting in a null-pointer dereference (CVE-2008-5361,
CVE-2008-5362, CVE-2008-5363).
The vendor reported an unspecified arbitrary code execution
vulnerability (CVE-2008-5499).
Liu Die Yu of TopsecTianRongXin reported an unspecified flaw in the
Settings Manager related to 'clickjacking' (CVE-2009-0114).
The vendor credits Roee Hay from IBM Rational Application Security
for reporting an input validation error when processing SWF files
(CVE-2009-0519).
Javier Vicente Vallejo reported via the iDefense VCP that Adobe
Flash does not remove object references properly, leading to a freed
memory dereference (CVE-2009-0520).
Josh Bressers of Red Hat and Tavis Ormandy of the Google Security
Team reported an untrusted search path vulnerability
(CVE-2009-0521).

Impact :

A remote attacker could entice a user to open a specially crafted SWF
file, possibly resulting in the execution of arbitrary code with the
privileges of the user or a Denial of Service (crash). Furthermore a
remote attacker could gain access to sensitive information, disclose
memory contents by enticing a user to open a specially crafted PDF file
inside a Flash application, modify the victim's clipboard or render it
temporarily unusable, persuade a user into uploading or downloading
files, bypass security restrictions with the assistance of the user to
gain access to camera and microphone, conduct Cross-Site Scripting and
HTTP Header Splitting attacks, bypass the 'non-root domain policy' of
Flash, and gain escalated privileges.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-200903-23.xml

Solution :

All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=www-plugins/adobe-flash-10.0.22.87'

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true