=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN089
_____________________________________________________________________

DATE                      : 13/03/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running ColdFusion MX 7,
                              ColdFusion 8, Adobe Form Designer 5.0,
                              Adobe Advanced Form Client 5.0 Components,
                              Adobe LiveCycle Workflow 6.2, Flash Player,
                             Unix running Adobe Reader 8.1.2.

======================================================================

- --------------------------------------------------------------
Adobe Security Bulletins:
- - Update available for potential ColdFusion MX 7 and
   ColdFusion 8 Cross Site Scripting security issue
- - Update available for ColdFusion MX 7 and ColdFusion 8
   Cross-Site Scripting issue
- - Update available for ColdFusion MX 7 and ColdFusion 8
   logs invalid admin interface log-in attempts
- - Update available to resolve critical vulnerabilities in
   Adobe Form Designer 5.0 and Adobe Advanced Form Client 5.0
   Components
- - Update available for potential LiveCycle Workflow 6.2
   Cross Site Scripting security issue

Adobe Security Advisory:
- - Privilege escalation issue in Adobe Reader 8.1.2 for Unix

Adobe Customer Advisory:
- - Upcoming Flash Player Update: Mitigating Potential Impact
   on SWF Content
- --------------------------------------------------------------

APSB08-06 - Update available for potential ColdFusion MX 7
and ColdFusion 8 Cross Site Scripting security issue

Originally posted: March 11, 2008

Summary:
A potential vulnerability in ColdFusion MX7 and ColdFusion
8 could allow an attacker to execute cross-site scripting
attack. This issue is specific to ColdFusion and Windows
IIS 6 installations.

Severity Rating:
Adobe categorizes this update as important
http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl

Adobe recommends that users apply this update to their
installations.  Learn more:
http://direct.adobe.com/r?xJPJcTvEPcTcEcHHqJcHn
- --------------------------------------------------------------

APSB08-07 - Update available for ColdFusion MX 7 and
ColdFusion 8 Cross-Site Scripting issue

Originally posted: March 11, 2008

Summary:
A vulnerability in ColdFusion 8 and ColdFusion MX 7 could
allow an attacker to bypass ColdFusion's cross-site
scripting protection for certain ColdFusion applications.
Only ColdFusion applications where the Application.cfm or
Application.cfc contains the setEncoding function would
be vulnerable to this attack.

Severity Rating:
Adobe categorizes this update as important
http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl

Adobe recommends that users apply this update to their
installations.  Learn more:
http://direct.adobe.com/r?xJPJcTvEPcTJEcHHqJcHT
- --------------------------------------------------------------

APSB08-08 - Update available for ColdFusion MX 7 and
ColdFusion 8 logs invalid admin interface log-in attempts

Originally posted: March 11, 2008

Summary:
A design error in ColdFusion 8 and ColdFusion MX 7 could
make it more likely that an attacker could attempt to log
in to the admin interface undetected since failed log-in
attempts were not previously logged.

Severity Rating:
Adobe categorizes this update as moderate
http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl

Adobe recommends that users apply this update to their
installations.  Learn more:
http://direct.adobe.com/r?xJPJcTvEPcTlEcHHqJcHv
- --------------------------------------------------------------

APSB08-09 - Update available to resolve critical
vulnerabilities in Adobe Form Designer 5.0 and Adobe Form
Client 5.0 Components

Originally posted: March 11, 2008

Summary:
Critical vulnerabilities have been identified in Form
Designer 5.0 and Form Client 5.0 that could allow an
attacker who successfully exploits these vulnerabilities
to take control of the affected system. A malicious html
file must be loaded in the web browser by the end user for
an attacker to exploit these vulnerabilities. It is
recommended users update their installations using the
instructions below.

Severity Rating:
Adobe categorizes this update as critical
http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl

Adobe recommends that users apply this update to their
installations.  Learn more:
http://direct.adobe.com/r?xJPJcTvEPcTPEcHHqJcHW
- --------------------------------------------------------------

APSB08-10 - Update available for potential LiveCycle
Workflow 6.2 Cross Site Scripting security issue

Originally posted: March 11, 2008

Summary:
A potential vulnerability in LiveCycle Workflow 6.2 could
allow an attacker to execute a cross-site scripting attack.

Severity Rating:
Adobe categorizes this update as important
http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl

Adobe recommends that users apply this update to their
installations.  Learn more:
http://direct.adobe.com/r?xJPJcTvEPcTnEcHHqJcHq
- --------------------------------------------------------------

APSA08-02 - Privilege escalation issue in Adobe Reader 8.1.2
for Unix

Originally posted: March 11, 2008

Adobe is aware of a recently published report of a privilege
escalation issue in AdobeReader 8.1.2 for Unix. The launcher
script for Adobe Reader 8.1.2 for Unix couldpotentially
allow a malicious local user to escalate their privileges
and potentially modify or delete arbitrary files.

Severity Rating:
Adobe categorizes these issues as moderate
http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl

Adobe recommends that users apply the relevant updates to
their installations.  Learn more:
http://direct.adobe.com/r?xJPJcTvEPcTTEcHHqJccH
- --------------------------------------------------------------

Customer Advisory - Upcoming Flash Player Update: Mitigating
Potential Impact on SWF Content

Adobe is planning to release a security update to Flash
Player in April 2008 that will provide further mitigations
for previously disclosed issues.

Adobe is giving advanced notice to our customers as these
security enhancements may impact existing SWF content for
some customers. Adobe recommends customers using SWF
content on their websites review the upcoming Flash Player
updates as described in the following Adobe Developer
Connection article to determine if their content will be
impacted, and to begin implementing necessary changes
immediately to help ensure a seamless transition:
http://direct.adobe.com/r?xJPJcTvEPcTvEcHHqJccc

The upcoming Flash Player update will provide further
mitigations for DNS Rebinding (CVE-2007-5275), cross-
domain policy file (CVE-2007-6243), and port-scanning
(CVE-2007-4324) issues listed in Security Bulletin
APSB07-20 (originally posted on December 18, 2007) and the
cross-site scripting issues (CVE-2007-6637) listed in
Security Advisory APSA07-06 (originally posted on December
23, 2007).
- --------------------------------------------------------------

ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS, OR FIXES
PROVIDED BY ADOBE IN THIS BULLETIN ARE PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. ADOBE AND ITS SUPPLIERS
DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR
OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO
WARRANTY OF NON-INFRINGEMENT, TITLE, OR QUIET ENJOYMENT.
(USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF
IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY
TO YOU. IN NO EVENT SHALL ADOBE, INC. OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT
LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS
INTERRUPTION, OR THE LIKE, OR LOSS OF BUSINESS DAMAGES,
BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF
CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE),
PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADOBE, INC. OR ITS
SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES
DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION
OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE
OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.

Adobe reserves the right, from time to time, to update
the information in this document with current information.
- --------------------------------------------------------------

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================