[Japanese]

JVNDB-2007-000817

Flash Player vulnerable in handling cross-domain policy files

Overview

Adobe Flash Player contains a vulnerability caused by improper handling of cross-domain policy files.

Adobe Flash Player is a player for the Flash media format and enables frame-based animations with sound to be viewed within a web browser.
According to Adobe's "About allowing cross-domain data loading", "When a Flash document attempts to access data from another domain, Flash Player automatically attempts to load a policy file from that domain. If the domain of the Flash document that is attempting to access the data is included in the policy file, the data is automatically accessible."
Flash Player contains a vulnerability that may allow a specially crafted web page to be interpreted as a cross-domain policy file because the plugin fails to properly handle cross-domain policy files.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Apple Inc.
  • Apple Mac OS X 10.5.3 and earlier
  • Apple Mac OS X Server 10.5.3 and earlier
Adobe Systems, Inc.
  • Adobe Flash Player 7.0.70.0 and earlier
  • Adobe Flash Player 8.0.35.0 and earlier
  • Adobe Flash Player 9.0.48.0 and earlier
  • Adobe Flash Player 9.0.124.0 and earlier
Sun Microsystems, Inc.
  • OpenSolaris (sparc)
  • OpenSolaris (x86)
  • Sun Solaris 10 (sparc)
  • Sun Solaris 10 (x86)
Turbolinux, Inc.
  • Turbolinux FUJI
  • wizpy
Red Hat, Inc.
  • Red Hat Enterprise Linux Extras 3 extras
  • Red Hat Enterprise Linux Extras 4 extras
  • RHEL Desktop Supplementary 5 (client)
  • RHEL Supplementary 5 (server)

Impact

Cross-domain policy restrictions can be bypassed by using a specially crafted web page. This could result in unauthorized access to website data contrary to the website administrator's intent.
Solution

[Update the Software]
For Flash Player 8.x or Flash Player 9.x
Apply the latest updates provided by the vendor.

[Apply the Patch]
For Flash Player 7.x
Apply the appropriate patch as specified in the Flash Player update TechNote provided by the vendor.
The vendor has announced that they discontinued the support of Flash Player 7.x and will no longer provide security updates after this update. Those who are unable to upgrade to Flash Player 8.x or 9.x and wish to continue to use Flash Player 7.x can find the archived installers in the Archived Flash Player TechNote.
Vendor Information

Apple Inc. Adobe Systems, Inc. Sun Microsystems, Inc.
  • Sun Alert Notification : 238305
  • Sun Alert Notification : 248586
Turbolinux, Inc. Red Hat, Inc.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-6243
References

  1. JVN : JVN#45675516
  2. National Vulnerability Database (NVD) : CVE-2007-6243
  3. US-CERT Cyber Security Alerts : SA08-150A
  4. US-CERT Technical Cyber Security Alert : TA08-150A
  5. Secunia Advisory : SA28161
  6. ISS X-Force Database : 39129
  7. SecurityTracker : 1019116
  8. FrSIRT Advisories : FrSIRT/ADV-2007-4258
  9. FrSIRT Advisories : FrSIRT/ADV-2008-2838
  10. JVN iPedia (Japanese) : JVNDB-2007-000817
Revision History

  • [2008/05/21]
      Web page published
    [2008/06/06]
      Affected Products : Added Turbolinux, Inc. (TLSA-2008-16).
      Affected Products : Added Red Hat, Inc. (RHSA-2008:0221).
      Vendor Information : Added Turbolinux, Inc. (TLSA-2008-16).
      Vendor Information : Added Red Hat, Inc. (RHSA-2008:0221).
    [2008/06/18]
      Affected Products : Added Apple Inc(Security Update 2008-003).
      Vendor Information : Added Apple Inc(Security Update 2008-003).
    [2008/11/12]
      Affected Products : Added Adobe Systems, Inc.(APSB08-18).
      Vendor Information : Added Adobe Systems, Inc.(APSB08-18).
      Vendor Information : Added Red Hat, Inc.(RHSA-2008:0945).
    [2008/12/04]
      Vendor Information : Red Hat, Inc. (RHSA-2008:0980).
    [2009/02/10]
      Affected Products : Added Sun Microsystems, Inc. (248586).
      Vendor Information : Added Sun Microsystems, Inc. (248586).