Rapid7 Vulnerability & Exploit Database

RHSA-2008:0945: flash-plugin security update

Back to Search

RHSA-2008:0945: flash-plugin security update



The flash-plugin package contains a Firefox-compatible Adobe Flash PlayerWeb browser plug-in.A flaw was found in the way Adobe Flash Player wrote content to theclipboard. A malicious SWF file could populate the clipboard with a URLthat could cause the user to mistakenly load an attacker-controlled URL.(CVE-2008-3873)A flaw was found which allowed Adobe Flash Player's ActionScript toinitiate file uploads and downloads without user interaction.FileReference.browse and FileReference.download calls can now only beinitiated via user interaction, such as mouse-clicks or key-presses on thekeyboard. (CVE-2008-4401)A flaw was found in Adobe Flash Player's display of the Settings Managercontent. A malicious SWF file could trick the user into unknowinglyclicking a link or dialog. This could then give the malicious SWF filepermission to access the local machine's camera or microphone.(CVE-2008-4503)Flaws were found in the way Flash Player restricted the interpretation andusage of cross-domain policy files. A remote attacker could use FlashPlayer to conduct cross-domain and cross-site scripting attacks(CVE-2007-4324, CVE-2007-6243). This update provides enhanced fixes forthese issues.Adobe Flash Player 10 also includes bug fixes and feature enhancementsincluding:For more information on new features and enhancements, see the Adobe FlashPlayer site and the Adobe Labs Release Notes.Note: some users may have installed a 3rd-party component, libflashsupport,for older versions of Flash Player. Adobe Flash Player 10 no longersupports libflashsupport. Users are advised to remove libflashsupport ifthey have it installed.All users of Adobe Flash Player should upgrade to this updated package,which contains Flash Player version


  • redhat-upgrade-flash-plugin

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center