Flash Player update available to address security vulnerabilities

Release date: July 10, 2007

Vulnerability identifier: APSB07-12

CVE number: CVE-2007-3456, CVE-2007-3457, CVE-2007-2022

Platform: All platforms
Summary

Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform.
Affected software versions

Adobe Flash Player 9.0.45.0 and earlier, 8.0.34.0 and earlier, and 7.0.69.0 and earlier.

To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
Solution

Adobe recommends all users of Adobe Flash Player 9.0.45.0 and earlier versions upgrade to the newest version 9.0.47.0 (Win, Mac, Solaris) or 9.0.48.0 (Linux), by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

For customers who cannot upgrade to Adobe Flash Player 9, Adobe has developed a patched version of Flash Player 7. Please refer to the Flash Player update TechNote.
Severity rating

Adobe categorizes this as a critical issue and recommends affected users upgrade to version 9.0.47.0 (Win, Mac, Solaris) or 9.0.48.0 (Linux).
Details

An input validation error has been identified in Flash Player 9.0.45.0 and earlier versions that could lead to the potential execution of arbitrary code. This vulnerability could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2007-3456)

An issue with insufficient validation of the HTTP Referer has been identified in Flash Player 8.0.34.0 and earlier. This issue does not affect Flash Player 9. This issue could potentially aid an attacker in executing a cross-site request forgery attack. (CVE-2007-3457)

The Linux and Solaris updates for Flash Player 7 (7.0.70.0) address the issues with Flash Player and the Opera and Konqueror browsers described in Security Advisory APSA07-03. These issues do not impact Flash Player 9 on Linux or Solaris. (CVE-2007-2022) 

Sun(sm) Alert Notification

* Sun Alert ID: 102934
* Synopsis: Security Vulnerabilities in the Java Runtime Environment Image Parsing Code May Allow a Untrusted Applet to Elevate Privileges
* Category: Security
*
Product: Java 2 Platform, Standard Edition
* BugIDs: 6483556, 6483560
* Avoidance: Patch, Upgrade
* State: Resolved
* Date Released: 31-May-2007, 29-Jun-2007
* Date Closed: 29-Jun-2007
* Date Modified: 29-Jun-2007, 10-Jul-2007

1. Impact

A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang.

Sun acknowledges, with thanks, Chris Evans of the Google Security Team, for bringing these issues to our attention.

These issues are also referenced in the following documents:

CVE-2007-2788 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2788

CVE-2007-2789 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2789
2. Contributing Factors

These issues can occur in the following releases (for Windows, Solaris, and Linux):

First vulnerability:

* JDK and JRE 6
* JDK and JRE 5.0 Update 10 and earlier
* SDK and JRE 1.4.2_14 and earlier
* SDK and JRE 1.3.1_20 and earlier

Second vulnerability:

* JDK and JRE 6
* JDK and JRE 5.0 Update 10 and earlier
* SDK and JRE 1.4.2_14 and earlier
* SDK and JRE 1.3.1_19 and earlier

To determine the default version of the JRE on a system for Solaris and Linux, the following command can be run:

% java -version

Note: The above command only determines the default version. Other versions may also be installed on the system.

To determine the default version of the JRE on a system for Windows:

1. Click "Start"
2. Select "Run"
3. Type "cmd" (starts a command-line)
4. At the prompt, type "java -version"

Note: The above command only determines the default version. Other versions may also be installed on the system.
3. Symptoms

There are no reliable symptoms that would show the described issues have been exploited. 

*

QuickTime

CVE-ID: CVE-2007-2295

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in QuickTime's handling of H.264 movies. By enticing a user to access a maliciously crafted H.264 movie, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of QuickTime H.264 movies. Credit to Tom Ferris of Security-Protocols.com, and Matt Slot of Ambrosia Software, Inc. for reporting this issue.

*

QuickTime

CVE-ID: CVE-2007-2392

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in QuickTime's handling of movie files. By enticing a user to access a maliciously crafted movie file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of movie files. Credit to Jonathan 'Wolf' Rentzsch of Red Shed Software for reporting this issue.

*

QuickTime

CVE-ID: CVE-2007-2296

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted .m4v file may lead to an unexpected application termination or arbitrary code execution

Description: An integer overflow vulnerability exists in QuickTime's handling of .m4v files. By enticing a user to access a maliciously crafted .m4v file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of .m4v files. Credit to Tom Ferris of Security-Protocols.com for reporting this issue.

*

QuickTime

CVE-ID: CVE-2007-2394

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted SMIL file may lead to an unexpected application termination or arbitrary code execution

Description: An integer overflow vulnerability exists in QuickTime's handling of SMIL files. By enticing a user to access a maliciously crafted SMIL file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of SMIL files. Credit to David Vaartjes of ITsec Security Services, working with the iDefense VCP, for reporting this issue.

*

QuickTime

CVE-ID: CVE-2007-2397

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Visiting a malicious website may lead to arbitrary code execution

Description: A design issue exists in QuickTime for Java, which may allow security checks to be disabled. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing a more accurate permissions check. Credit to Adam Gowdiak for reporting this issue.

*

QuickTime

CVE-ID: CVE-2007-2393

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Visiting a malicious website may lead to arbitrary code execution

Description: A design issue exists in QuickTime for Java. This may allow Java applets to bypass security checks in order to read and write process memory. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of Java applets. Credit to Adam Gowdiak for reporting this issue.

*

QuickTime

CVE-ID: CVE-2007-2396

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Visiting a malicious website may lead to arbitrary code execution

Description: A design issue exists in QuickTime for Java. JDirect exposes interfaces that may allow loading arbitrary libraries and freeing arbitrary memory. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by removing support for JDirect from QuickTime for Java. Credit to Adam Gowdiak for reporting this issue.

*

QuickTime

CVE-ID: CVE-2007-2402

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Visiting a malicious website may lead to the disclosure of sensitive information

Description: A design issue exists in QuickTime for Java, which may allow a malicious website to capture a client's screen content. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to the disclosure of sensitive information. This update addresses the issue by performing a more accurate access control check.