APSB06-03 Flash Player Update to Address Security Vulnerabilities
Originally posted: March 14, 2006
CVE Identifier
CVE-2006-0024
Summary
Critical vulnerabilities have been identified in Flash Player that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform.
Solution
Adobe recommends all Flash Player 8.0.22.0 and earlier users upgrade to the new version 8.0.24.0, which can be downloaded from the Player Download Center. For customers that cannot upgrade to Flash Player 8, please refer to the Flash Player 7 update TechNote.
Adobe provides a free license for redistributing Flash Player on company intranets, or with software product or services. For more information and to apply for a license, use the online application.
May 9, 2006 Update
For Windows users who currently have Flash Player 6.0.79 or earlier installed on Microsoft Windows XP Service Pack 1, Windows XP Service Pack 2, Windows 98, Windows 98 SE, or Windows Millennium Edition, Microsoft is providing an updated Flash Player 6 (6.0.84.0) through Windows Update. For more information, see Microsoft Security Bulletin MS06-020.
If you are unable to follow Adobe’s guidance or cannot move to a more recent version of Flash Player, please contact the Adobe Security Team at PSIRT@adobe.com for guidance around this update.
Adobe recommends Breeze customers upgrade to Breeze Meeting Add-In version 5.1 SP1, which can be downloaded via the following links:
- Breeze Meeting Add-In Version 5.1 SP1 for Windows
- Breeze Meeting Add-In Version 5.1 SP1 for Macintosh OS X
Shockwave Player includes the Flash Asset Xtra. Adobe recommends Shockwave Player customers upgrade to Shockwave Player 10.1.1, which updates the Flash Asset Xtra version number to 8.0.24.0.
Affected Software Versions
Flash Player versions 8.0.22.0 and earlier
To verify the Flash Player version number, access the About Flash Player page, or right-click on Flash content and select About Macromedia Flash Player from the menu. If you use multiple browsers, perform the check, and the installation for each browser.
Breeze Meeting Add-In Version 5.1 and earlier
To verify the Breeze Meeting Add-In version number, enter a meeting room and select Help>About Breeze Meeting.
Shockwave Player version 10.1.0.11 and earlier
To verify the Shockwave Player version number, access the Test Shockwave Player page.
Flash Debug Player version 7.0.14.0 and earlier
To verify the Flash Player version number, access the About Flash Player page , or right-click on Flash content and select About Macromedia Flash Player from the menu. If you use multiple browsers, perform the check, and the installation for each browser.
Severity Rating
Adobe categorizes this as a critical update and recommends affected users update to Flash Player 8.0.24.0.
Details
Flash Player 8 update (8.0.24.0), and Flash Player 7 update (7.0.63.0) address security vulnerabilities in previous versions of Flash Player, which could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player. Updated versions of Flash Player 7 for Linux and Solaris, which contain fixes for these vulnerabilities, are also available from the Adobe Player Download Center.
| Affected Software | Recommended Player Update | Availability |
|---|---|---|
| Flash Player 8.0.22.0 and earlier | 8.0.24.0 or 7.0.63.0 | Player Download Center |
| Flash Player 8.0.22.0 and earlier - network distribution | 8.0.24.0 or 7.0.63.0 | Player Licensing |
| Flash Professional 8, Flash Basic | 8.0.24.0 | Flash Player 8 Update for Flash Basic 8 and Flash Professional 8 |
| Flash MX 2004 | 7.0.63.0 | Flash Player 7 Update for Flash MX 2004 and Flash MX Professional 2004 |
| Flex 1.5 | 8.0.24.0 | Flash Debug Player Updater |
| Breeze Meeting Add-In | 7.0.55.331 (Win), 7.0.55.118 (Mac) | Breeze Downloads Page |
| Shockwave Player | 10.1.1 | Shockwave Player Download Center |
Acknowledgements
Adobe would like to thank Microsoft for reporting these vulnerabilities and for working with us to help protect our customers' security.
Revisions
May 9 , 2006 — Bulletin updated.
March 14, 2006 — Bulletin first created.
Reporting Security Issues
Adobe is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Adobe product, please send an email to PSIRT@adobe.com. We will work to appropriately address and communicate the issue.
Receiving Security Bulletins
When Adobe becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Adobe customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service.
For additional information on security issues at Adobe, please visit: http://www.macromedia.com/security.
ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES PROVIDED BY ADOBE IN THIS BULLETIN ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ADOBE AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.
IN NO EVENT SHALL ADOBE, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADOBE, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.
Adobe reserves the right, from time to time, to update the information in this document with current information.
