This posting is provided “AS IS” with no warranties and confers no rights

This posting is provided “AS IS” with no warranties and confers no rights

- This is not a zero-day exploit. Despite various reports that have been circulating, the Flash Player Standalone 9.0.124.0 and Linux Player 9.0.124.0 are NOT vulnerable to the exploits discussed in conjunction with the previously disclosed vulnerability Symantec posted on 5/27/08. Symantec originally believed this to be a zero-day, unpatched vulnerability, but as their latest update on their Threatcon page indicates, they have now confirmed this issue does not affect any versions of Flash Player 9.0.124.0.

- Although the original vulnerability, disclosed last month in Security Bulletin APSB08-11, affects all platforms (Mac, Windows, and Linux), all of the exploits we’ve seen so far target Windows users.

- The ‘campaign’ included SQL injection attacks and apparently took advantage of various other (non-Flash Player) vulnerabilities to redirect users from legitimate sites to malicious domains serving the exploit SWFs.

- Symantec and other major antivirus vendors have added detections for the exploits seen so far.

- The recent Flash Player 10 beta is also not vulnerable to this exploit.

Finally, at the risk of sounding repetitive, in order to make sure users are not vulnerable to these exploits, we strongly encourage users to download and install the latest Flash Player update, 9.0.124.0. No uninstall is necessary, just install the latest Flash Player. Customers using multiple browsers should perform the update for each browser installed on their system.

UPDATE: We've just gotten confirmation from Symantec that all versions of Flash Player 9.0.124.0 are not vulnerable to these exploits. Again, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0. To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. Customers using multiple browsers are advised to perform the check for each browser installed on their system and update if necessary.

Thanks to Symantec for working very closely with us over the last 2 days to confirm that this is not a zero-day issue, and to Mark Dowd and wushi for originally reporting this issue.

This posting is provided “AS IS” with no warranties and confers no rights

UPDATE: This exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0 (CVE-2007-0071). We strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0.

This posting is provided “AS IS” with no warranties and confers no rights

Also note that we released Security Advisory APSA08-05 for After Effects CS3 today, in response to a public posting of a BMP-handling vulnerability in After Effects. As mentioned in the advisory, it’s not a common workflow to use BMP files within After Effects, and most files used in the After Effects workflow come from trusted sources. That said, as always, we advise customers to exercise caution when receiving and opening files from untrusted sources.

This posting is provided “AS IS” with no warranties and confers no rights

There are also security enhancements that provide further mitigations for the previously disclosed DNS Rebinding (CVE-2007-5275), cross-domain policy file (CVE-2007-6243), and port-scanning (CVE-2007-4324) issues listed in Security Bulletin APSB07-20 (originally posted on December 18, 2007) and the cross-site scripting issues (CVE-2007-6637) listed in Security Advisory APSA07-06 (originally posted on December 23, 2007). Per our previous guidance about these potential issues, it’s recommended that content developers review this Adobe Developer Center article to determine if the security enhancements may affect their content, and begin implementing any necessary changes.

We’d like to thank all the researchers who reported the issues covered by this update – all the details are in the ‘Acknowledgments’ section, but we’d like to emphasize that we really appreciate the cooperation and help.

We also released a Security Bulletin for ColdFusion, APSB08-12 that resolves a pretty basic bug in the remoting-config.xml file that controls the access level to CFC methods for Flex 2 Remoting.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

What should I do as a customer?

We have fixed the issue and it will be in our next update coming later this month. Adobe is not aware of any active exploits in wild. The security researchers have reported the information to us responsibly giving the Flash Player team time to investigate and deliver a patch to you. We will provide more information as it becomes available.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Note that Flash Player end users won’t be affected – all they need to do is update their Flash Player once the update goes live. But, if customers have SWF content on their websites, we’re advising them to review the upcoming Flash Player updates as described in this Adobe Developer Connection article to determine if their content will be impacted, and to begin implementing any necessary changes before the update is released.

Customers for whom the following situations apply should read the article in detail:
- Use of sockets or XMLSockets, regardless of the domain the SWF is connecting to
- Use of addRequestHeader or URLRequest.requestHeaders in any network API call when sending or loading data cross-domain OR Provides access to content on remote domains as a web service provider
- Use of SWFs that are exported for Flash Player 7 (SWF7) or below that communicate with the hosting HTML by any means
- Use of “javascript:” through network APIs to communicate outside a SWF

There’s lots of info in the article, which also links to technotes with more details about how to make the changes.

This posting is provided “AS IS” with no warranties and confers no rights

- APSB08-06 - Update available for potential ColdFusion MX 7 and ColdFusion 8 Cross Site Scripting security issue
This one is specific to IIS6 installations of ColdFusion.

- APSB08-07 - Update available for ColdFusion MX 7 and ColdFusion 8 Cross-Site Scripting issue
This issue only affects CF apps where the Application.cfm or Application.cfc contains the setEncoding function.

- APSB08-08 - Update available for ColdFusion MX 7 and ColdFusion 8 logs invalid admin interface log-in attempts
We’ve added functionality with this update to record failed admin log-in attempts in application.log

- APSB08-09 - Update available to resolve critical vulnerabilities in Adobe Form Designer 5.0 and Adobe Advanced Form Client 5.0 Components
These issues are in ActiveX controls shipped with Form Designer and Form Client 5.0

- APSB08-10 - Update available for potential LiveCycle Workflow 6.2 Cross Site Scripting security issue
We’re asking LiveCycle Workflow 6.2 customers to contact their support rep to get this update.

And this Security Advisory:
- APSA08-01 - Privilege escalation issue in Adobe Reader 8.1.2 for Unix
We published this advisory in response to a recent SUSE update for this relatively minor issue.

This posting is provided “AS IS” with no warranties and confers no rights

For starters, we thought we’d give you some information on how our overall Incident Response process works, and specifically why (and how) the ‘Acknowledgments’ section appears in our Security Bulletins. Security researchers provide a valuable service to the community and Adobe believes their contributions should be acknowledged. That is why, if you've read an Adobe Security Bulletin, you may have noticed our acknowledgment section. Adobe appreciates the cooperation of third-party security researchers who adhere to the unwritten rule of allowing software vendors like Adobe time to provide potentially vulnerable customers with a fix or workaround before the researcher releases details of the vulnerability publicly.

The Adobe PSIRT is responsible for monitoring and responding to reports of potential vulnerabilities in Adobe products. The preferred method for alerting Adobe about potential security vulnerabilities is by contacting the PSIRT directly. The Adobe Security Report Form mailbox at www.adobe.com/misc/securityform.html is monitored by the PSIRT and can be used to provide details about an issue. The Adobe PSIRT can also be contacted directly at PSIRT@adobe.com.

Adobe takes the responsibility of securing our products very seriously. When security researchers uncover a potential vulnerability in one of our products that could expose organizations to security risk, the PSIRT coordinates with representatives from the product engineering team to identify an appropriate remediation. This will often include a patch or a simple workaround. Since releasing information about a potential vulnerability while a fix is still in development could expose consumers to risk, Adobe tightly controls information about the issue until a remediation is available.

Once a solution is available, we notify our customers about the potential security vulnerability by posting an Adobe Product Security Bulletin or Adobe Product Security Advisory on the Adobe website at
http://www.adobe.com/support/security

Adobe also provides a free notification service that distributes information about security advisories and bulletins at http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert