Alert Number: 052908-02
Alert Date: 05/29/08
Alert Title: Adobe Flash Player vulnerable - Patch available
Update-to:
052708-01 *UNPATCHED* Vulnerability in Adobe Flash Player
040908-01 Flash Player update addresses critical vulnerabilities
OS/Platform/Application:
Adobe Flash Player - all versions older than version 9.0.124.0
Category: UPDATE
Severity: HIGH
Attention: Flash Users, System Administrators, Desktop Support Personnel.
Summary: On Tuesday May 27 2008 Internet Security resources reported the existence of a vulnerability in Adobe systems' popular Flash Media player that could cause takeover of a vulnerable computer when its user viewed a maliciously-crafted SWF ('Shockwave flash') media file*. At that time active exploitation of this vulnerability was reported; this activity has continued since that time and exploitation is now reportedly occurring on a massive scale.
Adobe Systems researchers have since determined that the latest version (version 9.0.124.0) of Flash player is NOT VULNERABLE TO THIS ATTACK. These findings contradict early reports that all versions of the player were vulnerable. Version 9.0.124.0 was released in Early April of 2008; see ALARM alert 040908-01 for more details on this version of Flash player.
*SWF or 'Shockwave Flash' is a technology used to insert animations, movies, sounds etc into web pages. In some cases, an SWF movie or animation will play automatically when a browser visits a web page. Some advertisements (popup or otherwise) found on web pages use SWF to immediately play content when a user visits a website even if he/she is not visiting the website with the intention of viewing any type of movie or media file. The automatic nature of this media-playing technology increases the potential danger to users when security vulnerabilities and exploits are made available to malicious software users.
Recommended Actions: Flash Player Users, System Administrators, and Support Personnel are strongly encouraged to verify that all of their browsers are using Flash Player 9.0.124.0; if an older version is present on their systems they should upgrade to 9.0.124.0 IMMEDIATELY.
Many users have more than one type of web browser installed on their computer. Flash Player needs to be updated for EACH browser resident on a user's system. Use the following link to verify which version of Flash player is present on your browser. Use this link with EACH web browser present on your computer (Internet Explorer, Firefox, etc):
http://www.adobe.com/products/flash/about/
If your browser is not using version 9.0.124.0 of Flash player, perform the following steps to install the update on EACH browser you use on your computer:
1.) Open up a web browser.
2.) go to http://www.adobe.com/go/getflash
On the web page, Version 9.0.124.0 should be listed as the version to be installed.
2a.) Depending on your browser and preferences, check or uncheck the "Install Free Google Toolbar" checkbox.
3.) Click "Agree and install now".
4.) Follow the install instructions (may require unblocking or Install of ActiveX control for Internet Explorer users)
5.) When the "Adobe Flash Player successfully installed" animation plays the install process is complete.
6.) verify the installation by pointing your browser to http://www.adobe.com/products/flash/about/
6a.) If the product was installed to the correct location the page will display "Version 9,0,140,0 Installed Successfully".
Readers are encouraged to share this alert with family, friends, and associates.
ITS Actions: N/A
Resources:
Adobe Product Security Incident Response Team (PSIRT) commentary on Flash Player vulnerability:
http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue.html
Adobe Flash Player download page:
http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash
ALARM Alert 052708-01 "*UNPATCHED* Vulnerability in Adobe Flash Player"
http://www.albany.edu/its/alerts_archive_2008_3658.htm
ALARM Alert 040908-01 "Flash Player update addresses critical vulnerabilities"
http://www.albany.edu/its/alerts_archive_2008_3577.htm
