FW: US-CERT Technical Cyber Security Alert TA06-075A -- Adobe Macromedia Flash Products Multiple Vulnerabilities
Nigel Henry
cave.dnb at tiscali.fr
Tue Mar 21 00:47:25 UTC 2006
On Sunday 19 March 2006 06:40, David Eisenstein wrote:
> Hi folks,
>
> "There are critical vulnerabilities in Macromedia Flash player and
> related software. Exploitation of these vulnerabilities could allow a
> remote, unauthenticated attacker to execute arbitrary code or cause a
> denial of service on a vulnerable system."
>
> For more detailed info, please see the forwarded message from CERT,
> below.
>
> Although I don't believe that Fedora or Fedora Legacy provides any version
> of Macromedia's Flash Player to our end users (as it's proprietary), end
> users may still decide to download and install this free plugin ... so it
> is good to know about this. I believe Flash is able to be used both with
> Firefox and Mozilla. Perhaps KDE's Konqueror also can use Flash.
> Someone who knows for sure about Konqueror, can you respond on the list
> and let us know?
Hi David. Just to let you know that the latest version of Flashplayer does
work ok in Konqueror, on FC2. I tried it out on Jamie Cameron's Webmin
site.http://www.webmin.com , and the link to his sister Lara Cameron's site,
which requires Flash. Nigel.
>
> One workaround one can do to not be vulnerable is to disable Flash, at
> least until a secure version can be installed. I use Mozilla-1.7.12.
> What I do to disable flash (and I rarely have it enabled ;)) is:
>
> 1) Shut down your browser and (Mozilla-based) email program, if open.
> 2) Do a '$ find /usr/lib -iname 'libflash*.so'.
> 3) It may find the flash player (possibly named 'libflashplayer.so')
> under any of these directories:
> /usr/lib/mozilla/plugins/
> /usr/lib/mozilla-(version)/plugins
> /usr/lib/firefox-(version)/plugins
> 4) Wherever it finds the plugin .so (shared-object) file, then (as
> root) either delete the file, or rename it to something your
> browser will not find to load. I rename it to
> 'no_libflashplayer.so.txt'.
> 5) At this point, the flash player should be disabled, so when you
> next start Mozilla and/or Firefox you should be safe from this
> vulnerability.
>
> I make no warrantee that the above suggestions for disabling the flash
> player will work for you. You take the above steps AT YOUR OWN RISK!
>
> If anyone has a better way to suggest disabling the Macromedia Flash
> player, will you please respond to this message with your suggestion(s)?
> Thanks.
>
> For those of you already aware of this, my apologies for the duplication.
>
> Regards,
> David Eisenstein
>
> ---------- Forwarded message ----------
> From: US-CERT Technical Alerts <technical-alerts at us-cert.gov>
> To: technical-alerts at us-cert.gov
> Date: Thu, 16 Mar 2006 18:13:56 -0500
> Subject: US-CERT Technical Cyber Security Alert TA06-075A -- Adobe
> Macromedia Flash Products Multiple Vulnerabilities
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> National Cyber Alert System
>
> Technical Cyber Security Alert TA06-075A
>
>
> Adobe Macromedia Flash Products Contain Vulnerabilities
>
> Original release date: March 16, 2006
> Last revised: --
> Source: US-CERT
>
>
> Systems Affected
>
> Microsoft Windows, Apple Mac OS X, Linux, Solaris, or other operating
> systems with any of the following Adobe Macromedia products installed:
> * Flash Player 8.0.22.0 and earlier
> * Flash Professional 8
> * Flash Basic
> * Flash MX 2004
> * Flash Debug Player 7.0.14.0 and earlier
> * Flex 1.5
> * Breeze Meeting Add-In 5.1 and earlier
> * Adobe Macromedia Shockwave Player 10.1.0.11 and earlier
>
> For more complete information, refer to Adobe Security Bulletin
> APSB06-03.
>
>
> Overview
>
> There are critical vulnerabilities in Macromedia Flash player and
> related software. Exploitation of these vulnerabilities could allow a
> remote, unauthenticated attacker to execute arbitrary code or cause a
> denial of service on a vulnerable system.
>
>
> I. Description
>
> Adobe Security Bulletin APSB06-03 addresses vulnerabilities in
> Macromedia Flash Player and related software. Further information is
> available in the following US-CERT Vulnerability Note:
>
> VU#945060 - Adobe Macromedia Flash products contain multiple
> vulnerabilities
>
> Several vulnerabilities in Adobe Macromedia Flash products may allow a
> remote attacker to execute arbitrary code on a vulnerable system.
> (CVE-2006-0024)
>
> Several operating systems, including Microsoft Windows (see Microsoft
> Security Advisory 916208), have vulnerable versions of Flash installed
> by default. Systems with Flash-enabled web browsers are vulnerable. An
> attacker could host a specially crafted Flash file on a web site and
> convince a user to visit the site.
>
>
> II. Impact
>
> A remote, unauthenticated attacker could execute arbitrary code with
> the privileges of the user. If the user is logged on with
> administrative privileges, the attacker could take complete control of
> an affected system. An attacker may also be able to cause a denial of
> service.
>
>
> III. Solution
>
> Apply Updates
>
> Adobe has provided the updates for these vulnerabilities in APBS06-03.
>
> Disable Flash
>
> Please see Microsoft Security Advisory 916208 for instructions on how
> to disable Flash on Microsoft Windows. For other operating systems and
> web browsers, please contact the appropriate vendor.
>
>
> Appendix A. References
>
> * Macromedia - APSB06-03: Flash Player Update to Address Security
> Vulnerabilities -
> <http://www.macromedia.com/devnet/security/security_zone/apsb06-03
> .html>
>
> * US-CERT Vulnerability Note VU#945060 -
> <http://www.kb.cert.org/vuls/id/945060>
>
> * CVE-2006-0024 -
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0024>
>
> * Microsoft Security Advisory (916208) -
> <http://www.microsoft.com/technet/security/advisory/916208.mspx>
>
>
> ____________________________________________________________________
>
> The most recent version of this document can be found at:
>
> <http://www.us-cert.gov/cas/techalerts/TA06-075A.html>
> ____________________________________________________________________
>
> Feedback can be directed to US-CERT Technical Staff. Please send
> email to <cert at cert.org> with "TA06-075A Feedback VU#945060" in the
> subject.
> ____________________________________________________________________
>
> For instructions on subscribing to or unsubscribing from this
> mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
> ____________________________________________________________________
>
> Produced 2006 by US-CERT, a government organization.
>
> Terms of use:
>
> <http://www.us-cert.gov/legal.html>
> ____________________________________________________________________
>
>
> Revision History
>
> Mar 16, 2006: Initial release
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iQEVAwUBRBnrc30pj593lg50AQJh0Af/WnwWF6RIXfF6zpDCXMzkEjdaiWUSDa+g
> utKrN8ZwUqKsPVw/uKR9vLwqWrWRYbTAsVjnFd1TBiBcasxAPIM4Y0u8sYCnXldB
> NmpotYhMPiuIIh7t/2bGxaAwOB8yBZvN4GNGDarsiK243/nf0m8Y7e6t+XN5FY6V
> nDp+q8mxiPN0T7Bh+ofeEX7m7SOEAza7kBwzsGgRSZzIkVmwH1+pBjPznmM1Zylh
> UzpTPhmvKkQtuDJ3iG3P0J6hrNZqTukEcOh5VB9gRhfvzpavSa6sXoiI7+/zTADa
> IJ8ZZZ6crFYmP/DTPeA9nbeCtQg/HAu+ty6ME/leVsHah3a16NWm4w==
> =XJw+
> -----END PGP SIGNATURE-----
More information about the fedora-legacy-list
mailing list