Adobe Product Security Incident Response Team (PSIRT) Blog

Quick note to let you know that we are giving advanced notice to our customers about some security enhancements in a security update to Flash Player scheduled for April 2008. This update may impact existing SWF content for some customers. The issues addressed are all previously disclosed – specifically, we’ll be providing further mitigations for the previously disclosed DNS Rebinding (CVE-2007-5275), cross-domain policy file (CVE-2007-6243), and port-scanning (CVE-2007-4324) issues listed in Security Bulletin APSB07-20 (originally posted on December 18, 2007) and the cross-site scripting issues (CVE-2007-6637) listed in Security Advisory APSA07-06 (originally posted on December 23, 2007)
Note that Flash Player end users won’t be affected – all they need to do is update their Flash Player once the update goes live. But, if customers have SWF content on their websites, we’re advising them to review the upcoming Flash Player updates as described in this Adobe Developer Connection article to determine if their content will be impacted, and to begin implementing any necessary changes before the update is released.
Customers for whom the following situations apply should read the article in detail:
- Use of sockets or XMLSockets, regardless of the domain the SWF is connecting to
- Use of addRequestHeader or URLRequest.requestHeaders in any network API call when sending or loading data cross-domain OR Provides access to content on remote domains as a web service provider
- Use of SWFs that are exported for Flash Player 7 (SWF7) or below that communicate with the hosting HTML by any means
- Use of “javascript:” through network APIs to communicate outside a SWF
There’s lots of info in the article, which also links to technotes with more details about how to make the changes.
This posting is provided “AS IS” with no warranties and confers no rights