Alert Number: 040908-01
Alert Date: 04/09/08
Alert Title: Flash Player update addresses critical vulnerabilities
Update-to: None.
OS/Platform/Application:
Adobe Flash Player 9.0.115.0 and earlier
Adobe Flash Player 8.0.39.0 and earlier
Category: ALERT
Severity: HIGH
Attention: Flash users, System Administrators, Desktop Support Personnel.
Summary: On April 9 2008 Adobe Systems Inc released version 9.0.124.0 of its popular Flash Player media application. Version 9.0.124.0 addresses six critical security vulnerabilities that (if exploited) could result in a range of negative outcomes including disclosure of personal information and complete takeover of a vulnerable system. The most likely method of exploit for the majority of these vulnerabilities is the visitation of a maliciously-crafted website** or the handling of a maliciously-crafted Flash media file (movie, animation, etc).
It is important to note that specific versions of this software have been created for Internet Explorer as well as other popular web browsers such as Firefox, Netscape Navigator, Opera, etc. If you use more than one type of web browser on your computer you may need to install more than one version of the update to make your computer safe from these security vulnerabilities. See the steps listed in "Recommended Actions" below for more information on securing all browsers on a system.
**It is important to note that recent research into the nature and trends of maliciously-crafted sites shows the majority of websites hosting maliciously-crafted software are ones users presume to be "legitimate" sites or advertisements for well-known and/or trusted products. The fact that dangerous software may be hiding within seemingly innocuous websites makes it vitally important to patch all vulnerable software on any system as soon as patches are made available from the vendor. In cases where a patch is not yet available users should consider any website and/or media file that they visit or handle as a potential source of compromise for their computer systems.
Recommended Actions: Flash users/System Administrators are encouraged to install the updated software as soon as possible.
As stated above, different versions of this software are available based on different browser types. You must install the update for EACH type of web browser running on your computer. To perform the update, perform the following steps:
1.) Open up a web browser.
2.) go to http://www.adobe.com/go/getflash
On the web page, Version 9.0.124.0 should be listed as the version to be installed.
2a.) Depending on your browser and preferences, check or uncheck the "Install Free Google Toolbar" checkbox.
3.) Click "Agree and install now".
4.) Follow the install instructions (may require unblocking or Install of ActiveX control for Internet Explorer users)
5.) When the "Adobe Flash Player successfully installed" animation plays the install process is complete.
6.) verify the installation by pointing your browser to http://www.adobe.com/products/flash/about/
6a.) If the product was installed to the correct location the page will display "Version 9,0,140,0 Installed Successfully".
7.) REPEAT THIS PROCESS WITH ANY OTHER WEB BROWSERS YOU MAY BE RUNNING ON YOUR COMPUTER.
ITS Actions: N/A
Resources:
SANS Advisory:
http://isc.sans.org/diary.html?storyid=4268
Adobe Advisory:
http://www.adobe.com/support/security/bulletins/apsb08-11.html
Flash Player Update Link:
http://www.adobe.com/go/getflash
Flash Player Verification Link:
http://www.adobe.com/products/flash/about/
Flash version 9.0.124.0 (Network Distribution):
http://www.adobe.com/licensing/distribution
Flash Update for Flex 3.0:
http://www.adobe.com/support/flashplayer/downloads.html#fp9
AIR 1.0 update 1.0.1:
http://www.adobe.com/go/getair
