Multiple vulnerabilities in Adobe Flash Player
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2008-4503 CVE-2008-4401 CVE-2007-4324 CVE-2007-6243 |
| CWE-ID | CWE-693 CWE-434 CWE-200 CWE-942 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software Subscribe |
Adobe Flash Player Client/Desktop applications / Plugins for browsers, ActiveX components |
| Vendor | Adobe |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Security bypass
EUVDB-ID: #VU1329
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2008-4503
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to hijack the clicking action of the victim on the target system.
The weakness exists due to design error in the microphone and camera access dialog. By persuading a victim into clicking misleading Flash Player access control dialogs, a remote attacker can hijack the victims' click actions and gain unauthorized access to the system's camera and microphone.
Successful exploitation of the vulnerability results in access to services on the vulnerable system.
Intall version 10.0.12.36 from vendor's website:
https://get.adobe.com/ru/flashplayer/
Adobe Flash Player: 9.0.124.0 - 10.0.22.87
External linkshttp://www.adobe.com/support/security/bulletins/apsb08-18.htm
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security bypass
EUVDB-ID: #VU1328
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2008-4401
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote user to upload arbitrary files on the target system.
The weakness exists due to the unassisted invoking of the FileReference.browse() and FileReference.download() functions. A remote attacker can create a specially crafted SWF file, trick the victim into opening it and download arbitrary files.
Successful exploitation of the vulnerability may result in further attacks on the vulnerable system.
Intall version 10.0.12.36 from vendor's website:
https://get.adobe.com/ru/flashplayer/
Adobe Flash Player: 9.0.124.0 - 9.0.277.0
External linkshttp://www.adobe.com/support/security/bulletins/apsb08-18.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU1327
Risk: Low
CVSSv3.1: 4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C]
CVE-ID: CVE-2007-4324
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to timing differences in SecurityErrorEvent responses. A remote attacker can create a specially SWF file, trick the victim into opening it, bypass the Security Sandbox model, scan ports, and obtain sensitive information.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Intall version 10.0.12.36 from vendor's website:
https://get.adobe.com/ru/flashplayer/
Adobe Flash Player: 9.0.124.0
External linkshttp://www.adobe.com/support/security/bulletins/apsb08-18.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
4) Security bypass
EUVDB-ID: #VU1326
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2007-6243
CWE-ID:
CWE-942 - Overly Permissive Cross-domain Whitelist
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security mechanisms.
The weakness exists due to an error when enforcing cross-domain policy files. A remote attacker could exploit this vulnerability and bypass security restrictions to conduct cross-domain and cross-site scripting (XSS) attacks.
Successful exploitation of the vulnerability results in security restrictions bypass on the vulnerable system.
Intall version 10.0.12.36 from vendor's website:
https://get.adobe.com/ru/flashplayer/
Adobe Flash Player: 9.0.124.0
External linkshttp://www.adobe.com/support/security/bulletins/apsb08-18.htm
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
