Archive for March, 2008

Preparing for April Flash Player 9 Security Update

Quick note to let you know that we are giving advanced notice to our customers about some security enhancements in a security update to Flash Player scheduled for April 2008. This update may impact existing SWF content for some customers. The issues addressed are all previously disclosed – specifically, we’ll be providing further mitigations for the previously disclosed DNS Rebinding (CVE-2007-5275), cross-domain policy file (CVE-2007-6243), and port-scanning (CVE-2007-4324) issues listed in Security Bulletin APSB07-20 (originally posted on December 18, 2007) and the cross-site scripting issues (CVE-2007-6637) listed in Security Advisory APSA07-06 (originally posted on December 23, 2007)
Note that Flash Player end users won’t be affected – all they need to do is update their Flash Player once the update goes live. But, if customers have SWF content on their websites, we’re advising them to review the upcoming Flash Player updates as described in this Adobe Developer Connection article to determine if their content will be impacted, and to begin implementing any necessary changes before the update is released.
Customers for whom the following situations apply should read the article in detail:
– Use of sockets or XMLSockets, regardless of the domain the SWF is connecting to
– Use of addRequestHeader or URLRequest.requestHeaders in any network API call when sending or loading data cross-domain OR Provides access to content on remote domains as a web service provider
– Use of SWFs that are exported for Flash Player 7 (SWF7) or below that communicate with the hosting HTML by any means
– Use of “javascript:” through network APIs to communicate outside a SWF
There’s lots of info in the article, which also links to technotes with more details about how to make the changes.
This posting is provided “AS IS” with no warranties and confers no rights

Security Bulletins – March 11, 2008

It’s been a busy day around here. We’ve released 5 Security Bulletins today, as follows:
APSB08-06 - Update available for potential ColdFusion MX 7 and ColdFusion 8 Cross Site Scripting security issue
This one is specific to IIS6 installations of ColdFusion.
APSB08-07 - Update available for ColdFusion MX 7 and ColdFusion 8 Cross-Site Scripting issue
This issue only affects CF apps where the Application.cfm or Application.cfc contains the setEncoding function.
APSB08-08 – Update available for ColdFusion MX 7 and ColdFusion 8 logs invalid admin interface log-in attempts
We’ve added functionality with this update to record failed admin log-in attempts in application.log
APSB08-09 – Update available to resolve critical vulnerabilities in Adobe Form Designer 5.0 and Adobe Advanced Form Client 5.0 Components
These issues are in ActiveX controls shipped with Form Designer and Form Client 5.0
APSB08-10 – Update available for potential LiveCycle Workflow 6.2 Cross Site Scripting security issue
We’re asking LiveCycle Workflow 6.2 customers to contact their support rep to get this update.
And this Security Advisory:
APSA08-01 – Privilege escalation issue in Adobe Reader 8.1.2 for Unix
We published this advisory in response to a recent SUSE update for this relatively minor issue.
This posting is provided “AS IS” with no warranties and confers no rights