ID de Prueba:	1.3.6.1.4.1.25623.1.0.90019
Categoría:	Windows
Título:	Adobe Flash Player <= 9.0.115.0 Vulnerability - Windows
Resumen:	The remote host is probably affected by; the vulnerabilities described in CVE-2007-5275, CVE-2007-6019, CVE-2007-6243,; CVE-2007-6637, CVE-2008-1654, CVE-2008-1655.
Descripción:	Summary: The remote host is probably affected by the vulnerabilities described in CVE-2007-5275, CVE-2007-6019, CVE-2007-6243, CVE-2007-6637, CVE-2008-1654, CVE-2008-1655. Vulnerability Impact: - CVE 2007-5275 The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause a victim machine to establish TCP sessions with arbitrary hosts via a Flash (SWF) movie, related to lack of pinning of a hostname to a single IP address after receiving an allow-access-from element in a cross-domain-policy XML document, and the availability of a Flash Socket class that does not use the browser's DNS pins, aka DNS rebinding attacks, a different issue than CVE-2002-1467 and CVE-2007-4324. - CVE 2007-6019 Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, allows remote attackers to execute arbitrary code via an SWF file with a modified DeclareFunction2 Actionscript tag, which prevents an object from being instantiated properly. - CVE 2007-6243 Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to 7.0.70.0 does not sufficiently restrict the interpretation and usage of cross-domain policy files, which makes it easier for remote attackers to conduct cross-domain and cross-site scripting (XSS) attacks. - CVE 2007-6637 Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash Player allow remote attackers to inject arbitrary web script or HTML via a crafted SWF file, related to 'pre-generated SWF files' and Adobe Dreamweaver CS3 or Adobe Acrobat Connect. NOTE: the asfunction: vector is already covered by CVE-2007-6244.1. - CVE 2008-1654 Interaction error between Adobe Flash and multiple Universal Plug and Play (UPnP) services allow remote attackers to perform Cross-Site Request Forgery (CSRF) style attacks by using the Flash navigateToURL function to send a SOAP message to a UPnP control point, as demonstrated by changing the primary DNS server. - CVE 2008-1655 Unspecified vulnerability in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, makes it easier for remote attackers to conduct DNS rebinding attacks via unknown vectors. Affected Software/OS: Adobe Flash Player version 9.0.115.0 and earlier on Windows. Solution: All Adobe Flash Player users should upgrade to the latest version. CVSS Score: 9.3 CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2007-5275 http://lists.apple.com/archives/security-announce/2008//May/msg00001.html BugTraq ID: 26930 http://www.securityfocus.com/bid/26930 Cert/CC Advisory: TA07-355A http://www.us-cert.gov/cas/techalerts/TA07-355A.html Cert/CC Advisory: TA08-100A http://www.us-cert.gov/cas/techalerts/TA08-100A.html Cert/CC Advisory: TA08-150A http://www.us-cert.gov/cas/techalerts/TA08-150A.html http://www.gentoo.org/security/en/glsa/glsa-200801-07.xml http://www.gentoo.org/security/en/glsa/glsa-200804-21.xml http://crypto.stanford.edu/dns/dns-rebinding.pdf https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9250 http://www.redhat.com/support/errata/RHSA-2007-1126.html http://www.redhat.com/support/errata/RHSA-2008-0221.html http://securitytracker.com/id?1019116 http://secunia.com/advisories/28157 http://secunia.com/advisories/28161 http://secunia.com/advisories/28213 http://secunia.com/advisories/28570 http://secunia.com/advisories/29763 http://secunia.com/advisories/29865 http://secunia.com/advisories/30430 http://secunia.com/advisories/30507 http://sunsolve.sun.com/search/document.do?assetkey=1-26-238305-1 SuSE Security Announcement: SUSE-SA:2007:069 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00007.html SuSE Security Announcement: SUSE-SA:2008:022 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00006.html http://www.vupen.com/english/advisories/2007/4258 http://www.vupen.com/english/advisories/2008/1697 http://www.vupen.com/english/advisories/2008/1724/references Common Vulnerability Exposure (CVE) ID: CVE-2007-6019 BugTraq ID: 28694 http://www.securityfocus.com/bid/28694 Bugtraq: 20080408 ZDI-08-021: Adobe Flash Player DeclareFunction2 Invalid Object Use Vulnerability (Google Search) http://www.securityfocus.com/archive/1/490623/100/0/threaded Bugtraq: 20080414 Secunia Research: Adobe Flash Player "Declare Function (V7)" HeapOverflow (Google Search) http://www.securityfocus.com/archive/1/490824/100/0/threaded http://www.zerodayinitiative.com/advisories/ZDI-08-021 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10160 http://www.securitytracker.com/id?1019810 http://securityreason.com/securityalert/3805 XForce ISS Database: adobe-flash-declarefunction2-bo(41717) https://exchange.xforce.ibmcloud.com/vulnerabilities/41717 Common Vulnerability Exposure (CVE) ID: CVE-2007-6243 BugTraq ID: 26929 http://www.securityfocus.com/bid/26929 BugTraq ID: 26966 http://www.securityfocus.com/bid/26966 CERT/CC vulnerability note: VU#935737 http://www.kb.cert.org/vuls/id/935737 http://jvn.jp/jp/JVN%2345675516/index.html http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11069 http://www.redhat.com/support/errata/RHSA-2008-0945.html http://www.redhat.com/support/errata/RHSA-2008-0980.html http://secunia.com/advisories/32448 http://secunia.com/advisories/32702 http://secunia.com/advisories/32759 http://secunia.com/advisories/33390 http://sunsolve.sun.com/search/document.do?assetkey=1-26-248586-1 SuSE Security Announcement: SUSE-SR:2008:025 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00001.html XForce ISS Database: adobe-unspecified-security-bypass(39129) https://exchange.xforce.ibmcloud.com/vulnerabilities/39129 Common Vulnerability Exposure (CVE) ID: CVE-2007-6637 BugTraq ID: 27034 http://www.securityfocus.com/bid/27034 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9828 http://securitytracker.com/id?1019141 Common Vulnerability Exposure (CVE) ID: CVE-2008-1654 BugTraq ID: 28696 http://www.securityfocus.com/bid/28696 Bugtraq: 20080113 Hacking The Interwebs (Google Search) http://seclists.org/bugtraq/2008/Jan/0182.html CERT/CC vulnerability note: VU#347812 http://www.kb.cert.org/vuls/id/347812 http://seclists.org/fulldisclosure/2008/Jan/0204.html http://www.gnucitizen.org/blog/hacking-the-interwebs/ https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11435 http://www.securitytracker.com/id?1019807 XForce ISS Database: adobe-flash-navigatetourl-csrf(41718) https://exchange.xforce.ibmcloud.com/vulnerabilities/41718 Common Vulnerability Exposure (CVE) ID: CVE-2008-1655 BugTraq ID: 28697 http://www.securityfocus.com/bid/28697 http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html#goal_dns http://www.osvdb.org/44283 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10724 http://www.securitytracker.com/id?1019808 XForce ISS Database: adobe-flash-dnsrebinding-security-bypass(41807) https://exchange.xforce.ibmcloud.com/vulnerabilities/41807
Copyright	Copyright (C) 2008 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.