FW: US-CERT Technical Cyber Security Alert TA06-075A -- Adobe Macromedia Flash Products Multiple Vulnerabilities

Nigel Henry cave.dnb at tiscali.fr
Tue Mar 21 00:47:25 UTC 2006 

On Sunday 19 March 2006 06:40, David Eisenstein wrote:
> Hi folks,
>
>    "There are critical vulnerabilities in Macromedia Flash player and
>    related software. Exploitation of these vulnerabilities could allow a
>    remote, unauthenticated attacker to execute arbitrary code or cause a
>    denial of service on a vulnerable system."
>
> For more detailed info, please see the forwarded message from CERT,
> below.
>
> Although I don't believe that Fedora or Fedora Legacy provides any version
> of Macromedia's Flash Player to our end users (as it's proprietary), end
> users may still decide to download and install this free plugin ... so it
> is good to know about this.  I believe Flash is able to be used both with
> Firefox and Mozilla.  Perhaps KDE's Konqueror also can use Flash.
> Someone who knows for sure about Konqueror, can you respond on the list
> and let us know?

Hi David. Just to let you know that the latest version of Flashplayer does 
work ok in Konqueror, on FC2. I tried it out on Jamie Cameron's Webmin 
site.http://www.webmin.com , and the link to his sister Lara Cameron's site, 
which requires Flash. Nigel.
>
> One workaround one can do to not be vulnerable is to disable Flash, at
> least until a secure version can be installed.  I use Mozilla-1.7.12.
> What I do to disable flash (and I rarely have it enabled ;)) is:
>
>    1)  Shut down your browser and (Mozilla-based) email program, if open.
>    2)  Do a '$ find /usr/lib -iname 'libflash*.so'.
>    3)  It may find the flash player (possibly named 'libflashplayer.so')
>        under any of these directories:
>          /usr/lib/mozilla/plugins/
>          /usr/lib/mozilla-(version)/plugins
>          /usr/lib/firefox-(version)/plugins
>    4)  Wherever it finds the plugin .so (shared-object) file, then (as
>        root) either delete the file, or rename it to something your
>        browser will not find to load.  I rename it to
>        'no_libflashplayer.so.txt'.
>    5)  At this point, the flash player should be disabled, so when you
>        next start Mozilla and/or Firefox you should be safe from this
>        vulnerability.
>
> I make no warrantee that the above suggestions for disabling the flash
> player will work for you.  You take the above steps AT YOUR OWN RISK!
>
> If anyone has a better way to suggest disabling the Macromedia Flash
> player, will you please respond to this message with your suggestion(s)?
> Thanks.
>
> For those of you already aware of this, my apologies for the duplication.
>
>  Regards,
>  David Eisenstein
>
> ---------- Forwarded message ----------
> From: US-CERT Technical Alerts <technical-alerts at us-cert.gov>
> To: technical-alerts at us-cert.gov
> Date: Thu, 16 Mar 2006 18:13:56 -0500
> Subject: US-CERT Technical Cyber Security Alert TA06-075A -- Adobe
>     Macromedia Flash Products Multiple Vulnerabilities
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
>                         National Cyber Alert System
>
>                  Technical Cyber Security Alert TA06-075A
>
>
> Adobe Macromedia Flash Products Contain Vulnerabilities
>
>    Original release date: March 16, 2006
>    Last revised: --
>    Source: US-CERT
>
>
> Systems Affected
>
>    Microsoft Windows, Apple Mac OS X, Linux, Solaris, or other operating
>    systems with any of the following Adobe Macromedia products installed:
>      * Flash Player 8.0.22.0 and earlier
>      * Flash Professional 8
>      * Flash Basic
>      * Flash MX 2004
>      * Flash Debug Player 7.0.14.0 and earlier
>      * Flex 1.5
>      * Breeze Meeting Add-In 5.1 and earlier
>      * Adobe Macromedia Shockwave Player 10.1.0.11 and earlier
>
>    For more complete information, refer to Adobe Security Bulletin
>    APSB06-03.
>
>
> Overview
>
>    There are critical vulnerabilities in Macromedia Flash player and
>    related software. Exploitation of these vulnerabilities could allow a
>    remote, unauthenticated attacker to execute arbitrary code or cause a
>    denial of service on a vulnerable system.
>
>
> I. Description
>
>    Adobe Security Bulletin APSB06-03 addresses vulnerabilities in
>    Macromedia Flash Player and related software. Further information is
>    available in the following US-CERT Vulnerability Note:
>
>    VU#945060 - Adobe Macromedia Flash products contain multiple
>    vulnerabilities
>
>    Several vulnerabilities in Adobe Macromedia Flash products may allow a
>    remote attacker to execute arbitrary code on a vulnerable system.
>    (CVE-2006-0024)
>
>    Several operating systems, including Microsoft Windows (see Microsoft
>    Security Advisory 916208), have vulnerable versions of Flash installed
>    by default. Systems with Flash-enabled web browsers are vulnerable. An
>    attacker could host a specially crafted Flash file on a web site and
>    convince a user to visit the site.
>
>
> II. Impact
>
>    A remote, unauthenticated attacker could execute arbitrary code with
>    the privileges of the user. If the user is logged on with
>    administrative privileges, the attacker could take complete control of
>    an affected system. An attacker may also be able to cause a denial of
>    service.
>
>
> III. Solution
>
> Apply Updates
>
>    Adobe has provided the updates for these vulnerabilities in APBS06-03.
>
> Disable Flash
>
>    Please see Microsoft Security Advisory 916208 for instructions on how
>    to disable Flash on Microsoft Windows. For other operating systems and
>    web browsers, please contact the appropriate vendor.
>
>
> Appendix A. References
>
>      * Macromedia - APSB06-03: Flash Player Update to Address Security
>        Vulnerabilities -
>        <http://www.macromedia.com/devnet/security/security_zone/apsb06-03
>        .html>
>
>      * US-CERT Vulnerability Note VU#945060 -
>        <http://www.kb.cert.org/vuls/id/945060>
>
>      * CVE-2006-0024 -
>        <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0024>
>
>      * Microsoft Security Advisory (916208) -
>        <http://www.microsoft.com/technet/security/advisory/916208.mspx>
>
>
>  ____________________________________________________________________
>
>    The most recent version of this document can be found at:
>
>      <http://www.us-cert.gov/cas/techalerts/TA06-075A.html>
>  ____________________________________________________________________
>
>    Feedback can be directed to US-CERT Technical Staff. Please send
>    email to <cert at cert.org> with "TA06-075A Feedback VU#945060" in the
>    subject.
>  ____________________________________________________________________
>
>    For instructions on subscribing to or unsubscribing from this
>    mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
>  ____________________________________________________________________
>
>    Produced 2006 by US-CERT, a government organization.
>
>    Terms of use:
>
>      <http://www.us-cert.gov/legal.html>
>  ____________________________________________________________________
>
>
> Revision History
>
>    Mar 16, 2006: Initial release
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iQEVAwUBRBnrc30pj593lg50AQJh0Af/WnwWF6RIXfF6zpDCXMzkEjdaiWUSDa+g
> utKrN8ZwUqKsPVw/uKR9vLwqWrWRYbTAsVjnFd1TBiBcasxAPIM4Y0u8sYCnXldB
> NmpotYhMPiuIIh7t/2bGxaAwOB8yBZvN4GNGDarsiK243/nf0m8Y7e6t+XN5FY6V
> nDp+q8mxiPN0T7Bh+ofeEX7m7SOEAza7kBwzsGgRSZzIkVmwH1+pBjPznmM1Zylh
> UzpTPhmvKkQtuDJ3iG3P0J6hrNZqTukEcOh5VB9gRhfvzpavSa6sXoiI7+/zTADa
> IJ8ZZZ6crFYmP/DTPeA9nbeCtQg/HAu+ty6ME/leVsHah3a16NWm4w==
> =XJw+
> -----END PGP SIGNATURE-----

More information about the fedora-legacy-list mailing list