Re: [Flashcoders] Flash Player security hole
The UPDATE section here: http://www.securityfocus.com/bid/29386/exploit states that website hacks let the pages forward to the malicious Flash files. So unless you haven't compiled a malicious SWF yourself (which I'm not up to speed yet how to do) you are only vulnerable if your site is hackable, forcing code onto your site, e.g. via SQL injection, to redirect to malicious SWF files hosted elsewhere. Thanks, Gerrit -Original Message- From: Bob Wohl [EMAIL PROTECTED] Sent: Wednesday 28 May 2008 00:22 To: Flash Coders List flashcoders@chattyfig.figleaf.com CC: Subject: Re: [Flashcoders] Flash Player security hole egads! My apologies, I quickly skimmed over it and figured it was the same as last month. B. On Tue, May 27, 2008 at 3:09 PM, Merrill, Jason [EMAIL PROTECTED] wrote: have them upgrade to 9.0.124. Bob, the article states, the flaw affects both the recently released Flash Player version 9.0.124 .0 and version 9.0.115.0 Jason Merrill Bank of America Global Technology Operations Global Risk LLD eTools Multimedia Join the Bank of America Flash Platform Developer Community Are you a Bank of America associate interested in innovative learning ideas and technologies? Check out our internal GTO Innovative Learning Blog subscribe. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] Flash Player security hole
you are only vulnerable if your site is hackable No no - you are vulnerable if you *visit* a site that has been hacked. 2008/5/28 Gerrit Grobbelaar [EMAIL PROTECTED]: The UPDATE section here: http://www.securityfocus.com/bid/29386/exploit states that website hacks let the pages forward to the malicious Flash files. So unless you haven't compiled a malicious SWF yourself (which I'm not up to speed yet how to do) you are only vulnerable if your site is hackable, forcing code onto your site, e.g. via SQL injection, to redirect to malicious SWF files hosted elsewhere. Thanks, Gerrit -Original Message- From: Bob Wohl [EMAIL PROTECTED] Sent: Wednesday 28 May 2008 00:22 To: Flash Coders List flashcoders@chattyfig.figleaf.com CC: Subject: Re: [Flashcoders] Flash Player security hole egads! My apologies, I quickly skimmed over it and figured it was the same as last month. B. On Tue, May 27, 2008 at 3:09 PM, Merrill, Jason [EMAIL PROTECTED] wrote: have them upgrade to 9.0.124. Bob, the article states, the flaw affects both the recently released Flash Player version 9.0.124 .0 and version 9.0.115.0 Jason Merrill Bank of America Global Technology Operations Global Risk LLD eTools Multimedia Join the Bank of America Flash Platform Developer Community Are you a Bank of America associate interested in innovative learning ideas and technologies? Check out our internal GTO Innovative Learning Blog subscribe. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] Flash Player security hole
No no - you are vulnerable if you *visit* a site that has been hacked. lol, of course, obviously that too, I wasn't paying attention there for a moment. Good think you pointed that out :) Thanks, Gerrit -Original Message- From: Peter B [EMAIL PROTECTED] Sent: Wednesday 28 May 2008 11:36 To: Flash Coders List flashcoders@chattyfig.figleaf.com CC: Subject: Re: [Flashcoders] Flash Player security hole you are only vulnerable if your site is hackable No no - you are vulnerable if you *visit* a site that has been hacked. 2008/5/28 Gerrit Grobbelaar [EMAIL PROTECTED]: The UPDATE section here: http://www.securityfocus.com/bid/29386/exploit states that website hacks let the pages forward to the malicious Flash files. So unless you haven't compiled a malicious SWF yourself (which I'm not up to speed yet how to do) you are only vulnerable if your site is hackable, forcing code onto your site, e.g. via SQL injection, to redirect to malicious SWF files hosted elsewhere. Thanks, Gerrit -Original Message- From: Bob Wohl [EMAIL PROTECTED] Sent: Wednesday 28 May 2008 00:22 To: Flash Coders List flashcoders@chattyfig.figleaf.com CC: Subject: Re: [Flashcoders] Flash Player security hole egads! My apologies, I quickly skimmed over it and figured it was the same as last month. B. On Tue, May 27, 2008 at 3:09 PM, Merrill, Jason [EMAIL PROTECTED] wrote: have them upgrade to 9.0.124. Bob, the article states, the flaw affects both the recently released Flash Player version 9.0.124 .0 and version 9.0.115.0 Jason Merrill Bank of America Global Technology Operations Global Risk LLD eTools Multimedia Join the Bank of America Flash Platform Developer Community Are you a Bank of America associate interested in innovative learning ideas and technologies? Check out our internal GTO Innovative Learning Blog subscribe. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] Flash Player security hole
Dave Segal wrote: Does anyone have more info on this? What is the flaw and what can we do to protect our users? http://www.pcworld.com/businesscenter/article/146343/new_adobe_flaw_being_ used_in_attacks_says_symantec.html The Flash Player Security Team had an interim response up yesterday (when Symantec's release hit), and a more full response this morning: http://blogs.adobe.com/psirt The issue is still being researched, but as the security team says, this appears to be a known issue, already addressed in the current Player 9.0.124 (and the Astro preview). It usually takes a few days to completely nail down all variables within a report however, so keep an eye on the security blog for best info. I haven't gone into this issue deeply yet myself, but some press reports yesterday said a malformed SWF was hosted on two servers in China, and that there were HTML injections into many mainstream websites to refer to those two SWF. However, I've read that those two Chinese addresses were already taken offline, meaning that the webpage references won't resolve, and that this route to trouble has already been effectively closed. That's just my understanding, though, and would need first-hand confirmation to be sure. jd -- John Dowdell . Adobe Developer Support . San Francisco CA USA Weblog: http://weblogs.macromedia.com/jd Aggregator: http://weblogs.macromedia.com/mxna Technotes: http://www.macromedia.com/support/ Spam killed my private email -- public record is best, thanks. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
RE: [Flashcoders] Flash Player security hole
John wrote: this appears to be a known issue, already addressed in the current Player 9.0.124 (and the Astro preview) Adobe statement also says, customers with Flash Player 9.0.124.0 should not be vulnerable to this exploit. I'm confused, the PC World article said, The flaw affects both the recently released Flash Player version 9.0.124 .0 and version 9.0.115.0, http://www.pcworld.com/businesscenter/article/146343/new_adobe_flaw_bein g_used_in_attacks_says_symantec.html Are there or are there not existing security flaws in the 9.0.124.0 version of the player? Jason Merrill Bank of America Global Technology Operations Global Risk LLD eTools Multimedia Join the Bank of America Flash Platform Developer Community Are you a Bank of America associate interested in innovative learning ideas and technologies? Check out our internal GTO Innovative Learning Blog subscribe. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
RE: [Flashcoders] Flash Player security hole
PCWorld has updated its report: Symantec Backtracks on Adobe Flash Warning http://www.pcworld.com/businesscenter/article/146396 Francis Cheng | Senior Technical Writer | Adobe Systems, Inc. http://blogs.adobe.com/fcheng -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Merrill, Jason Sent: Wednesday, May 28, 2008 2:08 PM To: Flash Coders List Subject: RE: [Flashcoders] Flash Player security hole John wrote: this appears to be a known issue, already addressed in the current Player 9.0.124 (and the Astro preview) Adobe statement also says, customers with Flash Player 9.0.124.0 should not be vulnerable to this exploit. I'm confused, the PC World article said, The flaw affects both the recently released Flash Player version 9.0.124 .0 and version 9.0.115.0, http://www.pcworld.com/businesscenter/article/146343/new_adobe_flaw_bein g_used_in_attacks_says_symantec.html Are there or are there not existing security flaws in the 9.0.124.0 version of the player? Jason Merrill Bank of America Global Technology Operations Global Risk LLD eTools Multimedia Join the Bank of America Flash Platform Developer Community Are you a Bank of America associate interested in innovative learning ideas and technologies? Check out our internal GTO Innovative Learning Blog subscribe. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
[Flashcoders] Flash Player security hole
Does anyone have more info on this? What is the flaw and what can we do to protect our users? http://www.pcworld.com/businesscenter/article/146343/new_adobe_flaw_being_ used_in_attacks_says_symantec.html ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] Flash Player security hole
have them upgrade to 9.0.124. http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html B. On Tue, May 27, 2008 at 2:03 PM, Dave Segal [EMAIL PROTECTED] wrote: Does anyone have more info on this? What is the flaw and what can we do to protect our users? http://www.pcworld.com/businesscenter/article/146343/new_adobe_flaw_being_ used_in_attacks_says_symantec.htmlhttp://www.pcworld.com/businesscenter/article/146343/new_adobe_flaw_being_used_in_attacks_says_symantec.html ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
RE: [Flashcoders] Flash Player security hole
have them upgrade to 9.0.124. Bob, the article states, the flaw affects both the recently released Flash Player version 9.0.124 .0 and version 9.0.115.0 Jason Merrill Bank of America Global Technology Operations Global Risk LLD eTools Multimedia Join the Bank of America Flash Platform Developer Community Are you a Bank of America associate interested in innovative learning ideas and technologies? Check out our internal GTO Innovative Learning Blog subscribe. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] Flash Player security hole
egads! My apologies, I quickly skimmed over it and figured it was the same as last month. B. On Tue, May 27, 2008 at 3:09 PM, Merrill, Jason [EMAIL PROTECTED] wrote: have them upgrade to 9.0.124. Bob, the article states, the flaw affects both the recently released Flash Player version 9.0.124 .0 and version 9.0.115.0 Jason Merrill Bank of America Global Technology Operations Global Risk LLD eTools Multimedia Join the Bank of America Flash Platform Developer Community Are you a Bank of America associate interested in innovative learning ideas and technologies? Check out our internal GTO Innovative Learning Blog subscribe. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders