Vigil@nce: Flash Player 9, several vulnerabilities
November 2008 by Vigil@nce
Several Adobe Flash Player vulnerabilities can be used by an
attacker to obtain information or to exploit several attacks.
– Gravity: 2/4
– Consequences: client access/rights, data reading
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Number of vulnerabilities in this bulletin: 6
– Creation date: 07/11/2008
IMPACTED PRODUCTS
– Microsoft Windows - plateform
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION
Several Adobe Flash Player vulnerabilities can be used by an
attacker to obtain information or to exploit several attacks.
An attacker can alter the HTTP headers in order to create a Cross
Site Scripting. [grav:2/4; CVE-2008-4818]
An attacker can create a DNS attack. [grav:2/4; CVE-2008-4819]
An attacker can use an ActionScipt attribute in order to inject
HTML code. [grav:2/4; CVE-2008-4823]
An attacker can use a policy file in order to bypass the domain
check. [grav:2/4; CVE-2008-4822]
An attacker can use the jar: protocol in order to obtain
information. [grav:1/4; CVE-2008-4821]
An attacker can use the Flash ActiveX in order to obtain
information. [grav:2/4; CVE-2008-4820]
CHARACTERISTICS
– Identifiers: APSB08-20, BID-32129, CVE-2008-4818, CVE-2008-4819,
CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823,
RHSA-2008:0980-02, VIGILANCE-VUL-8230
– Url: http://vigilance.fr/vulnerability/8230