=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN485
_____________________________________________________________________

DATE                      : 06/11/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Adobe Flash Player version
                                     9.0.124.0 and earlier.

======================================================================
http://www.adobe.com/support/security/bulletins/apsb08-20.html
______________________________________________________________________

Flash Player update available to address security vulnerabilities

Release date: November 5, 2008

Vulnerability identifier: APSB08-20

CVE number: CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821,
CVE-2008-4822, CVE-2008-4823

Platform: All Platforms


Summary

Potential vulnerabilities have been identified in Adobe Flash Player
9.0.124.0 and earlier that could allow an attacker who successfully exploits
these potential vulnerabilities to bypass Flash Player security controls.
Adobe recommends users update to the most current version of Flash Player
available for their platform. No action is required by customers who have
already updated to Flash Player 10.0.12.36. The Flash Player 9.0.151.0 update
addresses the issues previously reported in Security Bulletin APSB08-18 in
addition to the issues outlined in this Security Bulletin.


Affected software versions

Adobe Flash Player 9.0.124.0 and earlier.

To verify the Adobe Flash Player version number, access the About Flash Player
page, or right-click on Flash content and select “About Adobe (or Macromedia)
Flash Player” from the menu. If you use multiple browsers, perform the check for
each browser you have installed on your system.


Solution

Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions
upgrade to the newest version 10.0.12.36 by downloading it from the Player Download
Center, or by using the auto-update mechanism within the product when prompted.

For users who cannot update to Flash Player 10, Adobe has developed a patched version
of Flash Player 9, Flash Player 9.0.151.0, which can be downloaded from the following
link.


Severity rating

Adobe categorizes this as a critical update due to the issues previously outlined
in Security Bulletin APSB08-18 and recommends affected users upgrade to version
10.0.12.36.


Details

In addition to the issues previously reported in Security Bulletin APSB08-18, the
Flash Player 10.0.12.36 and Flash Player 9.0.151.0 updates address the issues outlined
below.

This update includes a change to the way Flash Player interprets HTTP response headers
to prevent a potential cross-site scripting attack. (CVE-2008-4818)

This update introduces a change to mitigate a potential issue that could aid an
attacker in executing a DNS rebinding attack. (CVE-2008-4819)

This update introduces stricter interpretation of an ActionScipt attribute to
prevent a potential HTML injection issue. (CVE-2008-4823)

This update prevents an issue with policy file interpretation that could potentially
lead to bypass of a non-root domain policy. (CVE-2008-4822)

This update prevents an issue with the Flash Player interpretation of jar: protocol
on Mozilla browsers that could potentially lead to information disclosure. (
CVE-2008-4821)

 This update prevents a potential Windows-only information disclosure issue in
the Flash Player ActiveX control. (CVE-2008-4820)


Affected software Recommended player update Availability

Flash Player 9.0.124.0 and earlier 10.0.12.36 Player Download Center

Flash Player 9.0.124.0 and earlier
- network distribution  	10.0.12.36    Player Licensing

Flash Player 9.0.124.0 and earlier
for Linux               	10.0.12.36    Player Download Center

Flash CS4 Professional   	10.0.12.36    Adobe Flash Player 10 Update
                                              for Flash CS4 Professional

Flex 3                  	10.0.12.36    Flash Debug Player Updater


Acknowledgments

Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect
our customers' security:

    * Adan Barth of UC Berkeley and Collin Jackson of Stanford University (CVE-2008-4818)
    * Nathan McFeters and Rob Carter of Ernst and Young’s Advanced Security Center (CVE-2008-4819)
    * Stefano Di Paola of Minded Security (CVE-2008-4823)
    * Alex “kuza55” K. (CVE-2008-4822)
    * Gregory Fleischer of pseudo-flaw.net (CVE-2008-4821)
    * Manuel Caballero (CVE-2008-4820)


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================