SB2008101501 - Multiple vulnerabilities in Adobe Flash Player

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2008101501

SB2008101501 - Multiple vulnerabilities in Adobe Flash Player

Published: October 15, 2008 Updated: December 15, 2016

Security Bulletin ID SB2008101501
Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Security bypass (CVE-ID: CVE-2008-4503)

The vulnerability allows a remote attacker to hijack the clicking action of the victim on the target system.

The weakness exists due to design error in the microphone and camera access dialog. By persuading a victim into clicking misleading Flash Player access control dialogs, a remote attacker can hijack the victims' click actions and gain unauthorized access to the system's camera and microphone.

Successful exploitation of the vulnerability results in access to services on the vulnerable system.



2) Security bypass (CVE-ID: CVE-2008-4401)

The vulnerability allows a remote user to upload arbitrary files on the target system.

The weakness exists due to the unassisted invoking of the FileReference.browse() and FileReference.download() functions. A remote attacker can create a specially crafted SWF file, trick the victim into opening it and download arbitrary files.

Successful exploitation of the vulnerability may result in further attacks on the vulnerable system.

3) Information disclosure (CVE-ID: CVE-2007-4324)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to timing differences in SecurityErrorEvent responses. A remote attacker can create a specially SWF file, trick the victim into opening it, bypass the Security Sandbox model, scan ports, and obtain sensitive information.

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

4) Security bypass (CVE-ID: CVE-2007-6243)

The vulnerability allows a remote attacker to bypass implemented security mechanisms.

The weakness exists due to an error when enforcing cross-domain policy files. A remote attacker could exploit this vulnerability and bypass security restrictions to conduct cross-domain and cross-site scripting (XSS) attacks.

Successful exploitation of the vulnerability results in security restrictions bypass on the vulnerable system.

Remediation

Install update from vendor's website.

References