RE: [Flashcoders] Flash Player security hole

2008-05-28 Thread Francis Cheng 
PCWorld has updated its report:

Symantec Backtracks on Adobe Flash Warning
http://www.pcworld.com/businesscenter/article/146396

Francis Cheng | Senior Technical Writer | Adobe Systems, Inc.
http://blogs.adobe.com/fcheng

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Merrill,
Jason
Sent: Wednesday, May 28, 2008 2:08 PM
To: Flash Coders List
Subject: RE: [Flashcoders] Flash Player security hole

John wrote:

>>this appears to be a known issue, already addressed in 
>>the current Player
>>9.0.124 (and the Astro preview)

Adobe statement also says, "customers with Flash Player 9.0.124.0 should
not be vulnerable to this exploit".

I'm confused, the PC World article said,  "The flaw affects both the
recently released Flash Player version 9.0.124 .0 and version
9.0.115.0,"

http://www.pcworld.com/businesscenter/article/146343/new_adobe_flaw_bein
g_used_in_attacks_says_symantec.html

Are there or are there not existing security flaws in the 9.0.124.0
version of the player?



Jason Merrill 
Bank of America 
Global Technology & Operations & Global Risk L&LD 
eTools & Multimedia 

Join the Bank of America Flash Platform Developer Community 

Are you a Bank of America associate interested in innovative learning
ideas and technologies?
Check out our internal  GT&O Innovative Learning Blog & subscribe. 



 
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

RE: [Flashcoders] Flash Player security hole

2008-05-28 Thread Merrill, Jason 
John wrote:

>>this appears to be a known issue, already addressed in 
>>the current Player
>>9.0.124 (and the Astro preview)

Adobe statement also says, "customers with Flash Player 9.0.124.0 should
not be vulnerable to this exploit".

I'm confused, the PC World article said,  "The flaw affects both the
recently released Flash Player version 9.0.124 .0 and version
9.0.115.0,"

http://www.pcworld.com/businesscenter/article/146343/new_adobe_flaw_bein
g_used_in_attacks_says_symantec.html

Are there or are there not existing security flaws in the 9.0.124.0
version of the player?



Jason Merrill 
Bank of America 
Global Technology & Operations & Global Risk L&LD 
eTools & Multimedia 

Join the Bank of America Flash Platform Developer Community 

Are you a Bank of America associate interested in innovative learning
ideas and technologies?
Check out our internal  GT&O Innovative Learning Blog & subscribe. 



 
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

Re: [Flashcoders] Flash Player security hole

2008-05-28 Thread John Dowdell 

Dave Segal wrote:

Does anyone have more info on this? What is the flaw and what can we do to
protect our users?
http://www.pcworld.com/businesscenter/article/146343/new_adobe_flaw_being_
used_in_attacks_says_symantec.html


The Flash Player Security Team had an interim response up yesterday 
(when Symantec's release hit), and a more full response this morning:

http://blogs.adobe.com/psirt

The issue is still being researched, but as the security team says, this 
appears to be a known issue, already addressed in the current Player 
9.0.124 (and the Astro preview). It usually takes a few days to 
completely nail down all variables within a report however, so keep an 
eye on the security blog for best info.


I haven't gone into this issue deeply yet myself, but some press reports 
yesterday said a malformed SWF was hosted on two servers in China, and 
that there were HTML injections into many mainstream websites to refer 
to those two SWF. However, I've read that those two Chinese addresses 
were already taken offline, meaning that the webpage references won't 
resolve, and that this route to trouble has already been effectively 
closed. That's just my understanding, though, and would need first-hand 
confirmation to be sure.


jd




--
John Dowdell . Adobe Developer Support . San Francisco CA USA
Weblog: http://weblogs.macromedia.com/jd
Aggregator: http://weblogs.macromedia.com/mxna
Technotes: http://www.macromedia.com/support/
Spam killed my private email -- public record is best, thanks.
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

Re: [Flashcoders] Flash Player security hole

2008-05-28 Thread Gerrit Grobbelaar 
> No no - you are vulnerable if you *visit* a site that has been hacked.

lol, of course, obviously that too, I wasn't paying attention there for a 
moment.  Good think you pointed that out :)

Thanks,
Gerrit

> -Original Message-
> From: "Peter B" <[EMAIL PROTECTED]>
> Sent: Wednesday 28 May 2008 11:36
> To: "Flash Coders List" 
> CC: 
> Subject: Re: [Flashcoders] Flash Player security hole
>
>
> > you are only vulnerable if your site is hackable
>
> No no - you are vulnerable if you *visit* a site that has been hacked.
>
> 2008/5/28 Gerrit Grobbelaar <[EMAIL PROTECTED]>:
> > The UPDATE section here:
> > http://www.securityfocus.com/bid/29386/exploit
> >
> > states that website hacks let the pages forward to the malicious Flash
> > files.
> >
> > So unless you haven't compiled a malicious SWF yourself (which I'm not up
> > to speed yet how to do) you are only vulnerable if your site is hackable,
> > forcing code onto your site, e.g. via SQL injection, to redirect to
> > malicious SWF files hosted elsewhere.
> >
> > Thanks,
> > Gerrit
> >
> >> -Original Message-
> >> From: "Bob Wohl" <[EMAIL PROTECTED]>
> >> Sent: Wednesday 28 May 2008 00:22
> >> To: "Flash Coders List" 
> >> CC:
> >> Subject: Re: [Flashcoders] Flash Player security hole
> >>
> >>
> >> egads! My apologies, I quickly skimmed over it and figured it was the
> >> same as last month.
> >>
> >>
> >> B.
> >>
> >> On Tue, May 27, 2008 at 3:09 PM, Merrill, Jason <
> >>
> >> [EMAIL PROTECTED]> wrote:
> >> > >>have them upgrade to 9.0.124.
> >> >
> >> > Bob, the article states,  "the flaw affects both the recently released
> >> > Flash Player version 9.0.124 .0 and version 9.0.115.0"
> >> >
> >> > Jason Merrill
> >> > Bank of America
> >> > Global Technology & Operations & Global Risk L&LD
> >> > eTools & Multimedia
> >> >
> >> > Join the Bank of America Flash Platform Developer Community
> >> >
> >> > Are you a Bank of America associate interested in innovative learning
> >> > ideas and technologies?
> >> > Check out our internal  GT&O Innovative Learning Blog & subscribe.
> >> >
> >> >
> >> > ___
> >> > Flashcoders mailing list
> >> > Flashcoders@chattyfig.figleaf.com
> >> > http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
> >>
> >> ___
> >> Flashcoders mailing list
> >> Flashcoders@chattyfig.figleaf.com
> >> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
> >
> > ___
> > Flashcoders mailing list
> > Flashcoders@chattyfig.figleaf.com
> > http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
>
> ___
> Flashcoders mailing list
> Flashcoders@chattyfig.figleaf.com
> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

Re: [Flashcoders] Flash Player security hole

2008-05-28 Thread Peter B 
> you are only vulnerable if your site is hackable

No no - you are vulnerable if you *visit* a site that has been hacked.

2008/5/28 Gerrit Grobbelaar <[EMAIL PROTECTED]>:
> The UPDATE section here:
> http://www.securityfocus.com/bid/29386/exploit
>
> states that website hacks let the pages forward to the malicious Flash files.
>
> So unless you haven't compiled a malicious SWF yourself (which I'm not up to
> speed yet how to do) you are only vulnerable if your site is hackable,
> forcing code onto your site, e.g. via SQL injection, to redirect to malicious
> SWF files hosted elsewhere.
>
> Thanks,
> Gerrit
>
>> -Original Message-
>> From: "Bob Wohl" <[EMAIL PROTECTED]>
>> Sent: Wednesday 28 May 2008 00:22
>> To: "Flash Coders List" 
>> CC:
>> Subject: Re: [Flashcoders] Flash Player security hole
>>
>>
>> egads! My apologies, I quickly skimmed over it and figured it was the same
>> as last month.
>>
>>
>> B.
>>
>> On Tue, May 27, 2008 at 3:09 PM, Merrill, Jason <
>>
>> [EMAIL PROTECTED]> wrote:
>> > >>have them upgrade to 9.0.124.
>> >
>> > Bob, the article states,  "the flaw affects both the recently released
>> > Flash Player version 9.0.124 .0 and version 9.0.115.0"
>> >
>> > Jason Merrill
>> > Bank of America
>> > Global Technology & Operations & Global Risk L&LD
>> > eTools & Multimedia
>> >
>> > Join the Bank of America Flash Platform Developer Community
>> >
>> > Are you a Bank of America associate interested in innovative learning
>> > ideas and technologies?
>> > Check out our internal  GT&O Innovative Learning Blog & subscribe.
>> >
>> >
>> > ___
>> > Flashcoders mailing list
>> > Flashcoders@chattyfig.figleaf.com
>> > http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
>>
>> ___
>> Flashcoders mailing list
>> Flashcoders@chattyfig.figleaf.com
>> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
> ___
> Flashcoders mailing list
> Flashcoders@chattyfig.figleaf.com
> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
>
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

Re: [Flashcoders] Flash Player security hole

2008-05-28 Thread Gerrit Grobbelaar 
The UPDATE section here:
http://www.securityfocus.com/bid/29386/exploit

states that website hacks let the pages forward to the malicious Flash files.

So unless you haven't compiled a malicious SWF yourself (which I'm not up to 
speed yet how to do) you are only vulnerable if your site is hackable, 
forcing code onto your site, e.g. via SQL injection, to redirect to malicious 
SWF files hosted elsewhere.

Thanks,
Gerrit

> -Original Message-
> From: "Bob Wohl" <[EMAIL PROTECTED]>
> Sent: Wednesday 28 May 2008 00:22
> To: "Flash Coders List" 
> CC: 
> Subject: Re: [Flashcoders] Flash Player security hole
>
>
> egads! My apologies, I quickly skimmed over it and figured it was the same
> as last month.
>
>
> B.
>
> On Tue, May 27, 2008 at 3:09 PM, Merrill, Jason <
>
> [EMAIL PROTECTED]> wrote:
> > >>have them upgrade to 9.0.124.
> >
> > Bob, the article states,  "the flaw affects both the recently released
> > Flash Player version 9.0.124 .0 and version 9.0.115.0"
> >
> > Jason Merrill
> > Bank of America
> > Global Technology & Operations & Global Risk L&LD
> > eTools & Multimedia
> >
> > Join the Bank of America Flash Platform Developer Community
> >
> > Are you a Bank of America associate interested in innovative learning
> > ideas and technologies?
> > Check out our internal  GT&O Innovative Learning Blog & subscribe.
> >
> >
> > ___
> > Flashcoders mailing list
> > Flashcoders@chattyfig.figleaf.com
> > http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
>
> ___
> Flashcoders mailing list
> Flashcoders@chattyfig.figleaf.com
> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

Re: [Flashcoders] Flash Player security hole

2008-05-27 Thread Bob Wohl 
egads! My apologies, I quickly skimmed over it and figured it was the same
as last month.


B.

On Tue, May 27, 2008 at 3:09 PM, Merrill, Jason <
[EMAIL PROTECTED]> wrote:

> >>have them upgrade to 9.0.124.
>
> Bob, the article states,  "the flaw affects both the recently released
> Flash Player version 9.0.124 .0 and version 9.0.115.0"
>
> Jason Merrill
> Bank of America
> Global Technology & Operations & Global Risk L&LD
> eTools & Multimedia
>
> Join the Bank of America Flash Platform Developer Community
>
> Are you a Bank of America associate interested in innovative learning
> ideas and technologies?
> Check out our internal  GT&O Innovative Learning Blog & subscribe.
>
>
> ___
> Flashcoders mailing list
> Flashcoders@chattyfig.figleaf.com
> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
>
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

RE: [Flashcoders] Flash Player security hole

2008-05-27 Thread Merrill, Jason 
>>have them upgrade to 9.0.124.

Bob, the article states,  "the flaw affects both the recently released
Flash Player version 9.0.124 .0 and version 9.0.115.0"

Jason Merrill 
Bank of America 
Global Technology & Operations & Global Risk L&LD 
eTools & Multimedia 

Join the Bank of America Flash Platform Developer Community 

Are you a Bank of America associate interested in innovative learning
ideas and technologies?
Check out our internal  GT&O Innovative Learning Blog & subscribe. 

 
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

Re: [Flashcoders] Flash Player security hole

2008-05-27 Thread Bob Wohl 
have them upgrade to 9.0.124.

http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html


B.

On Tue, May 27, 2008 at 2:03 PM, Dave Segal <[EMAIL PROTECTED]> wrote:

> Does anyone have more info on this? What is the flaw and what can we do to
> protect our users?
>
>
>
> http://www.pcworld.com/businesscenter/article/146343/new_adobe_flaw_being_
> used_in_attacks_says_symantec.html
>
> ___
> Flashcoders mailing list
> Flashcoders@chattyfig.figleaf.com
> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
>
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

[Flashcoders] Flash Player security hole

2008-05-27 Thread Dave Segal 
Does anyone have more info on this? What is the flaw and what can we do to
protect our users?

 

http://www.pcworld.com/businesscenter/article/146343/new_adobe_flaw_being_
used_in_attacks_says_symantec.html

___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders