Cross-site scripting (XSS) vulnerability in Adobe Flash Player 9.0.124.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving HTTP response headers.

An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 3 and 4 Extras.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

[Updated 18th November 2008] This erratum has been updated to include a reference to the additional CVE-named issue that was not public at the time of release. The security impact of the erratum has also been upgraded to Critical. No changes have been made to the packages.

The flash-plugin package contains a Firefox-compatible Adobe Flash Player Web browser plug-in.

A flaw was found in the way Adobe Flash Player wrote content to the clipboard. A malicious SWF (Shockwave Flash) file could populate the clipboard with a URL that could cause the user to accidentally or mistakenly load an attacker-controlled URL. (CVE-2008-3873)

A flaw was found with Adobe's ActionScript scripting language which allowed Flash scripts to initiate file uploads and downloads without user interaction. ActionScript's FileReference.browse and FileReference.download method calls can now only be initiated via user interaction, such as through mouse-clicks or key-presses on the keyboard. (CVE-2008-4401)

A flaw was found in Adobe Flash Player's display of Settings Manager content. A malicious SWF file could trick the user into unintentionally or mistakenly clicking a link or a dialog which could then give the malicious SWF file permission to access the local machine's camera or microphone. (CVE-2008-4503)

Flaws were found in the way Flash Player restricted the interpretation and usage of cross-domain policy files. A remote attacker could use Flash Player to conduct cross-domain and cross-site scripting attacks (CVE-2007-4324, CVE-2007-6243). This update provides enhanced fixes for these issues.

Flash Player contains a flaw in the way it interprets HTTP response headers. An attacker could use this flaw to conduct a cross-site scripting attack against the user running Flash Player.
(CVE-2008-4818)

A flaw was found in the way Flash Player handles the ActionScript attribute. A malicious site could use this flaw to inject arbitrary HTML content, confusing the user running the browser. (CVE-2008-4823)

A flaw was found in the way Flash Player interprets policy files. It was possible to bypass a non-root domain policy, possibly allowing a malicious site to access data in a different domain. (CVE-2008-4822)

A flaw was found in how Flash Player's jar: protocol handler interacts with Mozilla. A malicious flash application could use this flaw to disclose sensitive information. (CVE-2008-4821)

Updated Flash Player also extends mechanisms to help prevent an attacker from executing a DNS rebinding attack. (CVE-2008-4819)

All users of Adobe Flash Player should upgrade to this updated package, which contains Flash Player version 9.0.151.0.

An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 Supplementary.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

[Updated 18th November 2008] The erratum has been updated to include references to the additional CVE-named issues that were not public at the time of release. The security impact of the erratum has also been upgraded to Critical. No changes have been made to the packages.

The flash-plugin package contains a Firefox-compatible Adobe Flash Player Web browser plug-in.

A flaw was found in the way Adobe Flash Player wrote content to the clipboard. A malicious SWF file could populate the clipboard with a URL that could cause the user to mistakenly load an attacker-controlled URL. (CVE-2008-3873)

A flaw was found which allowed Adobe Flash Player's ActionScript to initiate file uploads and downloads without user interaction.
FileReference.browse and FileReference.download calls can now only be initiated via user interaction, such as mouse-clicks or key-presses on the keyboard. (CVE-2008-4401)

A flaw was found in Adobe Flash Player's display of the Settings Manager content. A malicious SWF file could trick the user into unknowingly clicking a link or dialog. This could then give the malicious SWF file permission to access the local machine's camera or microphone. (CVE-2008-4503)

Flaws were found in the way Flash Player restricted the interpretation and usage of cross-domain policy files. A remote attacker could use Flash Player to conduct cross-domain and cross-site scripting attacks (CVE-2007-4324, CVE-2007-6243). This update provides enhanced fixes for these issues.

Adobe Flash Player 10 also includes bug fixes and feature enhancements including :

* improved stability on the Linux platform by fixing a race condition issue in sound output.

* new support for custom filters and effects, native 3D transformation and animation, advanced audio processing, a new, more flexible text engine, and GPU hardware acceleration.

For more information on new features and enhancements, see the Adobe Flash Player site and the Adobe Labs Release Notes.

Note: some users may have installed a 3rd-party component, libflashsupport, for older versions of Flash Player. Adobe Flash Player 10 no longer supports libflashsupport. Users are advised to remove libflashsupport if they have it installed.

All users of Adobe Flash Player should upgrade to this updated package, which contains Flash Player version 10.0.12.36.

The remote host is affected by the vulnerability described in GLSA-200903-23 (Adobe Flash Player: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Adobe Flash Player:
    The access scope of SystemsetClipboard() allows ActionScript     programs to execute the method without user interaction     (CVE-2008-3873).
    The access scope of FileReference.browse() and     FileReference.download() allows ActionScript programs to execute the     methods without user interaction (CVE-2008-4401).
    The Settings Manager controls can be disguised as normal graphical     elements. This so-called 'clickjacking' vulnerability was disclosed by     Robert Hansen of SecTheory, Jeremiah Grossman of WhiteHat Security,     Eduardo Vela, Matthew Mastracci of DotSpots, and Liu Die Yu of     TopsecTianRongXin (CVE-2008-4503).
    Adan Barth (UC Berkely) and Collin Jackson (Stanford University)     discovered a flaw occurring when interpreting HTTP response headers     (CVE-2008-4818).
    Nathan McFeters and Rob Carter of Ernst and Young's Advanced     Security Center are credited for finding an unspecified vulnerability     facilitating DNS rebinding attacks (CVE-2008-4819).
    When used in a Mozilla browser, Adobe Flash Player does not     properly interpret jar: URLs, according to a report by Gregory     Fleischer of pseudo-flaw.net (CVE-2008-4821).
    Alex 'kuza55' K. reported that Adobe Flash Player does not properly     interpret policy files (CVE-2008-4822).
    The vendor credits Stefano Di Paola of Minded Security for     reporting that an ActionScript attribute is not interpreted properly     (CVE-2008-4823).
    Riley Hassell and Josh Zelonis of iSEC Partners reported multiple     input validation errors (CVE-2008-4824).
    The aforementioned researchers also reported that ActionScript 2     does not verify a member element's size when performing several known     and other unspecified actions, that DefineConstantPool accepts an     untrusted input value for a 'constant count' and that character     elements are not validated when retrieved from a data structure,     possibly resulting in a NULL pointer dereference (CVE-2008-5361,     CVE-2008-5362, CVE-2008-5363).
    The vendor reported an unspecified arbitrary code execution     vulnerability (CVE-2008-5499).
    Liu Die Yu of TopsecTianRongXin reported an unspecified flaw in the     Settings Manager related to 'clickjacking' (CVE-2009-0114).
    The vendor credits Roee Hay from IBM Rational Application Security     for reporting an input validation error when processing SWF files     (CVE-2009-0519).
    Javier Vicente Vallejo reported via the iDefense VCP that Adobe     Flash does not remove object references properly, leading to a freed     memory dereference (CVE-2009-0520).
    Josh Bressers of Red Hat and Tavis Ormandy of the Google Security     Team reported an untrusted search path vulnerability     (CVE-2009-0521).
  Impact :

    A remote attacker could entice a user to open a specially crafted SWF     file, possibly resulting in the execution of arbitrary code with the     privileges of the user or a Denial of Service (crash). Furthermore a     remote attacker could gain access to sensitive information, disclose     memory contents by enticing a user to open a specially crafted PDF file     inside a Flash application, modify the victim's clipboard or render it     temporarily unusable, persuade a user into uploading or downloading     files, bypass security restrictions with the assistance of the user to     gain access to camera and microphone, conduct Cross-Site Scripting and     HTTP Header Splitting attacks, bypass the 'non-root domain policy' of     Flash, and gain escalated privileges.
  Workaround :

    There is no known workaround at this time.

The remote host is running a version of Mac OS X 10.5 that is older than version 10.5.6.  Mac OS X 10.5.6 contains security fixes for the following products : 

  - ATS
  - BOM
  - CoreGraphics
  - CoreServices
  - CoreTypes
  - Flash Player Plug-in
  - Kernel
  - Libsystem
  - Managed Client
  - network_cmds
  - Podcast Producer
  - UDF

The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.6. 

Mac OS X 10.5.6 contains security fixes for the following products :

  - ATS
  - BOM
  - CoreGraphics
  - CoreServices
  - CoreTypes
  - Flash Player Plug-in
  - Kernel
  - Libsystem
  - Managed Client
  - network_cmds
  - Podcast Producer
  - UDF

The remote host is running a version of Mac OS X 10.4 that does not have Security Update 2008-008 applied. 

This security update contains fixes for the following products :

  - BOM
  - CoreGraphics
  - CoreServices
  - Flash Player Plug-in
  - Libsystem
  - network_cmds
  - UDF

According to its version number, an instance of Adobe AIR on the remote Windows host is 1.5 or earlier.  Such versions are potentially affected by several vulnerabilities : 

  - A potential port-scanning issue. (CVE-2007-4324)

  - Possible privilege escalation attacks against web servers hosting Flash content and cross-domain policy files.  (CVE-2007-6243)

  - Potential Clipboard attacks. (CVE-2008-3873)

  - FileReference upload and download APIs that don't require user interaction. (CVE-2008-4401)

  - A potential cross-site scripting vulnerability. (CVE-2008-4818)

  - A potential issue that could be leveraged to conduct a DNS rebinding attack. (CVE-2008-4819)

  - An information disclosure issue affecting only the ActiveX control. (CVE-2008-4820)

  - An information disclosure issue involving interpretation of the 'jar: ' protocol and affecting only the plugin for Mozilla browsers. (CVE-2008-4821)

  - An issue with policy file interpretation could potentially lead to bypass of a non-root domain policy. (CVE-2008-4822)

  - A potential HTML injection issue involving an ActionScript attribute. (CVE-2008-4823)

  - Multiple input validation errors could potentially lead to execution of arbitrary code. (CVE-2008-4824)

  - An Adobe AIR application that loads data from an untrusted source could allow an attacker to execute untrusted JavaScript with elevated privileges. (CVE-2008-5108)

According to its version number, an instance of Adobe AIR on the remote Windows host is 1.1 or earlier.  Such versions are potentially affected by several vulnerabilities (APSB08-23 / APSB08-22 / APSB08-20 / APSB08-18):

  - A potential port-scanning issue. (CVE-2007-4324)

  - Possible privilege escalation attacks against web     servers hosting Flash content and cross-domain policy     files.  (CVE-2007-6243)

  - Potential Clipboard attacks. (CVE-2008-3873)

  - FileReference upload and download APIs that don't     require user interaction. (CVE-2008-4401)

  - A potential cross-site scripting vulnerability.     (CVE-2008-4818)

  - A potential issue that could be leveraged to conduct     a DNS rebinding attack. (CVE-2008-4819)

  - An information disclosure issue affecting only the     ActiveX control. (CVE-2008-4820)

  - An information disclosure issue involving interpretation     of the 'jar:' protocol and affecting only the plugin for     Mozilla browsers. (CVE-2008-4821)

  - An issue with policy file interpretation could     potentially lead to bypass of a non-root domain policy.     (CVE-2008-4822)

  - A potential HTML injection issue involving an     ActionScript attribute. (CVE-2008-4823)

  - Multiple input validation errors could potentially lead     to execution of arbitrary code. (CVE-2008-4824)

  - An Adobe AIR application that loads data from an     untrusted source could allow an attacker to execute     untrusted JavaScript with elevated privileges.     (CVE-2008-5108)

According to its version number, an instance of Flash Player on the remote Windows host is 9.0.124.0 or earlier.  Such versions are potentially affected by several vulnerabilities : 

  - A potential port-scanning issue. (CVE-2007-4324)
  - Possible privilege escalation attacks against web servers hosting Flash content and cross-domain policy files. (CVE-2007-6243)
  - Potential Clipboard attacks. (CVE-2008-3873)
  - FileReference upload and download APIs that don't require user interaction. (CVE-2008-4401)
  - A 'Clickjacking' issue that could be abused by an attacker to lure a web browser user into unknowingly clicking on a link or dialog. (CVE-2008-4503)
  - A potential cross-site scripting vulnerability. (CVE-2008-4818)
  - A potential issue that could be leveraged to conduct a DNS rebinding attack. (CVE-2008-4819)
  - An information disclosure issue affecting only the ActiveX control. (CVE-2008-4820)
  - An information disclosure issue involving interpretation of the 'jar: ' protocol and affecting only the plugin for Mozilla browsers. (CVE-2008-4821)
  - An issue with policy file interpretation could potentially lead to bypass of a non-root domain policy. (CVE-2008-4822)
  - A potential HTML injection issue involving an ActionScript attribute. (CVE-2008-4823)

According to its version number, an instance of Flash Player on the remote Windows host is 9.0.124.0 or earlier.  Such versions are potentially affected by several vulnerabilities :

  - A potential port-scanning issue. (CVE-2007-4324)

  - Possible privilege escalation attacks against web     servers hosting Flash content and cross-domain policy     files.  (CVE-2007-6243)

  - Potential Clipboard attacks. (CVE-2008-3873)

  - FileReference upload and download APIs that don't     require user interaction. (CVE-2008-4401)

  - A 'Clickjacking' issue that could be abused by an     attacker to lure a web browser user into unknowingly     clicking on a link or dialog. (CVE-2008-4503)

  - A potential cross-site scripting vulnerability.     (CVE-2008-4818)

  - A potential issue that could be leveraged in to conduct     a DNS rebinding attack. (CVE-2008-4819)

  - An information disclosure issue affecting only the     ActiveX control. (CVE-2008-4820)

  - An information disclosure issue involving interpretation     of the 'jar:' protocol and affecting only the plugin for     Mozilla browsers. (CVE-2008-4821)

  - An issue with policy file interpretation could     potentially lead to bypass of a non-root domain policy.     (CVE-2008-4822)

  - A potential HTML injection issue involving an     ActionScript attribute. (CVE-2008-4823)

  - Multiple input validation errors could potentially lead     to execution of arbitrary code. (CVE-2008-4824)

ID	Name	Product	Family	Severity
63870	RHEL 3 / 4 : flash-plugin (RHSA-2008:0980)	Nessus	Red Hat Local Security Checks	critical
63869	RHEL 5 : flash-plugin (RHSA-2008:0945)	Nessus	Red Hat Local Security Checks	critical
35904	GLSA-200903-23 : Adobe Flash Player: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
4790	Mac OS X < 10.5.6 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
4789	Mac OS X < 10.5.6 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
35111	Mac OS X 10.5.x < 10.5.6 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
35110	Mac OS X Multiple Vulnerabilities (Security Update 2008-008)	Nessus	MacOS X Local Security Checks	critical
4760	Adobe AIR APSB08-23 / APSB08-22 / APSB08-20 / APSB08-18 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
34815	Adobe AIR < 1.5 Multiple Vulnerabilities (APSB08-23)	Nessus	Windows	high
4746	Flash Player APSB08-18 / APSB08-20 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
34741	Flash Player < 9.0.151.0 / 10.0.12.36 Multiple Vulnerabilities (APSB08-18 / APSB08-20 / APSB08-22)	Nessus	Windows	high
800794	Mac OS X < 10.5.6 Multiple Vulnerabilities	Log Correlation Engine	Operating System Detection	high

Detections

Analytics

CVE-2008-4818

medium

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

high

high

medium

high

high