RHEL 5 : flash-plugin (RHSA-2008:0945)

critical Nessus Plugin ID 63869

Synopsis

The remote Red Hat host is missing a security update.

Description

An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 Supplementary.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

[Updated 18th November 2008] The erratum has been updated to include references to the additional CVE-named issues that were not public at the time of release. The security impact of the erratum has also been upgraded to Critical. No changes have been made to the packages.

The flash-plugin package contains a Firefox-compatible Adobe Flash Player Web browser plug-in.

A flaw was found in the way Adobe Flash Player wrote content to the clipboard. A malicious SWF file could populate the clipboard with a URL that could cause the user to mistakenly load an attacker-controlled URL. (CVE-2008-3873)

A flaw was found which allowed Adobe Flash Player's ActionScript to initiate file uploads and downloads without user interaction.
FileReference.browse and FileReference.download calls can now only be initiated via user interaction, such as mouse-clicks or key-presses on the keyboard. (CVE-2008-4401)

A flaw was found in Adobe Flash Player's display of the Settings Manager content. A malicious SWF file could trick the user into unknowingly clicking a link or dialog. This could then give the malicious SWF file permission to access the local machine's camera or microphone. (CVE-2008-4503)

Flaws were found in the way Flash Player restricted the interpretation and usage of cross-domain policy files. A remote attacker could use Flash Player to conduct cross-domain and cross-site scripting attacks (CVE-2007-4324, CVE-2007-6243). This update provides enhanced fixes for these issues.

Adobe Flash Player 10 also includes bug fixes and feature enhancements including :

* improved stability on the Linux platform by fixing a race condition issue in sound output.

* new support for custom filters and effects, native 3D transformation and animation, advanced audio processing, a new, more flexible text engine, and GPU hardware acceleration.

For more information on new features and enhancements, see the Adobe Flash Player site and the Adobe Labs Release Notes.

Note: some users may have installed a 3rd-party component, libflashsupport, for older versions of Flash Player. Adobe Flash Player 10 no longer supports libflashsupport. Users are advised to remove libflashsupport if they have it installed.

All users of Adobe Flash Player should upgrade to this updated package, which contains Flash Player version 10.0.12.36.

Solution

Update the affected flash-plugin package.

See Also

https://access.redhat.com/security/cve/cve-2007-4324

https://access.redhat.com/security/cve/cve-2007-6243

https://access.redhat.com/security/cve/cve-2008-3873

https://access.redhat.com/security/cve/cve-2008-4401

https://access.redhat.com/security/cve/cve-2008-4503

https://access.redhat.com/security/cve/cve-2008-4818

https://access.redhat.com/security/cve/cve-2008-4819

https://access.redhat.com/security/cve/cve-2008-4821

https://access.redhat.com/security/cve/cve-2008-4822

https://access.redhat.com/security/cve/cve-2008-4823

https://access.redhat.com/security/cve/cve-2008-4824

https://access.redhat.com/security/cve/cve-2008-5361

https://access.redhat.com/security/cve/cve-2008-5362

https://access.redhat.com/security/cve/cve-2008-5363

https://www.adobe.com/support/security/bulletins/apsb08-18.html

https://www.adobe.com/support/security/bulletins/apsb08-20.html

https://www.adobe.com/support/security/bulletins/apsb08-22.html

https://www.adobe.com/devnet/flashplayer.html

https://www.adobe.com/products/flashplayer/

https://access.redhat.com/errata/RHSA-2008:0945

Plugin Details

Severity: Critical

ID: 63869

File Name: redhat-RHSA-2008-0945.nasl

Version: 1.18

Type: local

Agent: unix

Published: 1/24/2013

Updated: 1/14/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:redhat:enterprise_linux:5.2, cpe:/o:redhat:enterprise_linux:5, p-cpe:/a:redhat:enterprise_linux:flash-plugin

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 11/18/2008

Vulnerability Publication Date: 8/13/2007

Reference Information

CVE: CVE-2007-4324, CVE-2007-6243, CVE-2008-3873, CVE-2008-4401, CVE-2008-4503, CVE-2008-4818, CVE-2008-4819, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823, CVE-2008-4824, CVE-2008-5361, CVE-2008-5362, CVE-2008-5363

BID: 25260, 26966, 31117

CWE: 20, 200, 264, 399, 79

RHSA: 2008:0945