JVNDB-2010-000054

Flash Player access restriction bypass vulnerability

Flash Player contains an access restriction bypass vulnerability.

When Flash Player references a different website than the site where Flash contents are hosted, the referenced site must be allowed access by the cross-domain policy file.

Flash Player contains a vulnerability where access restrictions set by the cross-domain policy file may be bypassed.

Apple Inc.

• Apple Mac OS X v10.5.8
• Apple Mac OS X v10.6 through v10.6.4
• Apple Mac OS X Server v10.5.8
• Apple Mac OS X Server v10.6 through v10.6.4

Adobe Systems, Inc.

• Adobe Flash Player 10.1.85.3 and earlier for Windows, Macintosh, Linux, and Solaris
• Adobe Flash Player 10.1.95.1 for Android

Oracle Corporation

• Oracle Solaris 10
• Oracle Solaris 11 Express

Red Hat, Inc.

• Red Hat Enterprise Linux Extras 4 extras
• Red Hat Enterprise Linux Extras 4.8.z extras
• Red Hat Enterprise Linux Server Supplementary 6
• Red Hat Enterprise Linux Workstation Supplementary 6
• RHEL Desktop Supplementary 6
• RHEL Desktop Supplementary 5 (client)
• RHEL Supplementary 5 (server)

Cross-domain policy restrictions can be bypassed by using a specially crafted web page. This could result in unauthorized access to website data.

[Update the Software]
Update to the latest version according to the information provided by the developer.

Apple Inc.

• Apple Security Updates : HT4435

Adobe Systems, Inc.

• Adobe Security Bulletin : APSB10-26

Oracle Corporation

• SECURITY BLOG : multiple_vulnerabilities_in_adobe_flash1

Red Hat, Inc.

• Red Hat Security Advisory : RHSA-2010:0829
• Red Hat Security Advisory : RHSA-2010:0834
• Red Hat Security Advisory : RHSA-2010:0867

1. Permissions(CWE-264) [IPA Evaluation]

1. CVE-2010-3636

1. JVN : JVN#48425028
2. JVN : JVNVU#331391 (Japanese)
3. National Vulnerability Database (NVD) : CVE-2010-3636
4. Secunia Advisory : SA42183
5. SecurityFocus : 44691
6. VUPEN Security : VUPEN/ADV-2010-2903
7. VUPEN Security : VUPEN/ADV-2010-2906
8. VUPEN Security : VUPEN/ADV-2010-2918

• [2010/11/09]
    Web page published
  [2010/12/03]
    Affected Products : Added Apple Inc (HT4435)
    Affected Products : Added Red Hat, Inc. (RHSA-2010:0829)
    Affected Products : Added Red Hat, Inc. (RHSA-2010:0834)
    Affected Products : Added Red Hat, Inc. (RHSA-2010:0867)
    Vendor Information : Added Apple Inc (HT4435)
    Vendor Information : Added Red Hat, Inc. (RHSA-2010:0829)
    Vendor Information : Added Red Hat, Inc. (RHSA-2010:0834)
    Vendor Information : Added Red Hat, Inc. (RHSA-2010:0867)
  [2011/02/01]
    Affected Products : Added Oracle Corporation (multiple_vulnerabilities_in_adobe_flash1)
    Vendor Information : Added Oracle Corporation (multiple_vulnerabilities_in_adobe_flash1)