Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0249 -- [Win][UNIX/Linux] Adobe Security Bulletins - March 2008 13 March 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ColdFusion MX 7 ColdFusion 8 Adobe Form Designer 5.0 Adobe Advanced Form Client 5.0 LiveCycle Workflow 6.2 Adobe Reader 8.1.2 for Unix Flash Player Publisher: Adobe Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact: Execute Arbitrary Code/Commands Increased Privileges Modify Arbitrary Files Delete Arbitrary Files Cross-site Scripting Reduced Security Access: Remote/Unauthenticated CVE Names: CVE-2007-6637 CVE-2007-6253 CVE-2007-6243 CVE-2007-5275 CVE-2007-4324 CVE-2008-0643 CVE-2008-0644 CVE-2008-0883 CVE-2008-1202 CVE-2008-1203 Ref: ESB-2008.0007 Revision History: March 13 2008: Added additional CVEs March 12 2008: Updated to include CVE for privilege escalation issue in Adobe Reader 8.1.2 for Unix March 12 2008: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -------------------------------------------------------------- Adobe Security Bulletins: - - Update available for potential ColdFusion MX 7 and ColdFusion 8 Cross Site Scripting security issue - - Update available for ColdFusion MX 7 and ColdFusion 8 Cross-Site Scripting issue - - Update available for ColdFusion MX 7 and ColdFusion 8 logs invalid admin interface log-in attempts - - Update available to resolve critical vulnerabilities in Adobe Form Designer 5.0 and Adobe Advanced Form Client 5.0 Components - - Update available for potential LiveCycle Workflow 6.2 Cross Site Scripting security issue Adobe Security Advisory: - - Privilege escalation issue in Adobe Reader 8.1.2 for Unix Adobe Customer Advisory: - - Upcoming Flash Player Update: Mitigating Potential Impact on SWF Content - -------------------------------------------------------------- APSB08-06 - Update available for potential ColdFusion MX 7 and ColdFusion 8 Cross Site Scripting security issue Originally posted: March 11, 2008 Summary: A potential vulnerability in ColdFusion MX7 and ColdFusion 8 could allow an attacker to execute cross-site scripting attack. This issue is specific to ColdFusion and Windows IIS 6 installations. Severity Rating: Adobe categorizes this update as important http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl Adobe recommends that users apply this update to their installations. Learn more: http://direct.adobe.com/r?xJPJcTvEPcTcEcHHqJcHn - -------------------------------------------------------------- APSB08-07 - Update available for ColdFusion MX 7 and ColdFusion 8 Cross-Site Scripting issue Originally posted: March 11, 2008 Summary: A vulnerability in ColdFusion 8 and ColdFusion MX 7 could allow an attacker to bypass ColdFusion's cross-site scripting protection for certain ColdFusion applications. Only ColdFusion applications where the Application.cfm or Application.cfc contains the setEncoding function would be vulnerable to this attack. Severity Rating: Adobe categorizes this update as important http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl Adobe recommends that users apply this update to their installations. Learn more: http://direct.adobe.com/r?xJPJcTvEPcTJEcHHqJcHT - -------------------------------------------------------------- APSB08-08 - Update available for ColdFusion MX 7 and ColdFusion 8 logs invalid admin interface log-in attempts Originally posted: March 11, 2008 Summary: A design error in ColdFusion 8 and ColdFusion MX 7 could make it more likely that an attacker could attempt to log in to the admin interface undetected since failed log-in attempts were not previously logged. Severity Rating: Adobe categorizes this update as moderate http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl Adobe recommends that users apply this update to their installations. Learn more: http://direct.adobe.com/r?xJPJcTvEPcTlEcHHqJcHv - -------------------------------------------------------------- APSB08-09 - Update available to resolve critical vulnerabilities in Adobe Form Designer 5.0 and Adobe Form Client 5.0 Components Originally posted: March 11, 2008 Summary: Critical vulnerabilities have been identified in Form Designer 5.0 and Form Client 5.0 that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious html file must be loaded in the web browser by the end user for an attacker to exploit these vulnerabilities. It is recommended users update their installations using the instructions below. Severity Rating: Adobe categorizes this update as critical http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl Adobe recommends that users apply this update to their installations. Learn more: http://direct.adobe.com/r?xJPJcTvEPcTPEcHHqJcHW - -------------------------------------------------------------- APSB08-10 - Update available for potential LiveCycle Workflow 6.2 Cross Site Scripting security issue Originally posted: March 11, 2008 Summary: A potential vulnerability in LiveCycle Workflow 6.2 could allow an attacker to execute a cross-site scripting attack. Severity Rating: Adobe categorizes this update as important http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl Adobe recommends that users apply this update to their installations. Learn more: http://direct.adobe.com/r?xJPJcTvEPcTnEcHHqJcHq - -------------------------------------------------------------- APSA08-02 - Privilege escalation issue in Adobe Reader 8.1.2 for Unix Originally posted: March 11, 2008 Adobe is aware of a recently published report of a privilege escalation issue in AdobeReader 8.1.2 for Unix. The launcher script for Adobe Reader 8.1.2 for Unix couldpotentially allow a malicious local user to escalate their privileges and potentially modify or delete arbitrary files. Severity Rating: Adobe categorizes these issues as moderate http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl Adobe recommends that users apply the relevant updates to their installations. Learn more: http://direct.adobe.com/r?xJPJcTvEPcTTEcHHqJccH - -------------------------------------------------------------- Customer Advisory - Upcoming Flash Player Update: Mitigating Potential Impact on SWF Content Adobe is planning to release a security update to Flash Player in April 2008 that will provide further mitigations for previously disclosed issues. Adobe is giving advanced notice to our customers as these security enhancements may impact existing SWF content for some customers. Adobe recommends customers using SWF content on their websites review the upcoming Flash Player updates as described in the following Adobe Developer Connection article to determine if their content will be impacted, and to begin implementing necessary changes immediately to help ensure a seamless transition: http://direct.adobe.com/r?xJPJcTvEPcTvEcHHqJccc The upcoming Flash Player update will provide further mitigations for DNS Rebinding (CVE-2007-5275), cross- domain policy file (CVE-2007-6243), and port-scanning (CVE-2007-4324) issues listed in Security Bulletin APSB07-20 (originally posted on December 18, 2007) and the cross-site scripting issues (CVE-2007-6637) listed in Security Advisory APSA07-06 (originally posted on December 23, 2007). - -------------------------------------------------------------- ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS, OR FIXES PROVIDED BY ADOBE IN THIS BULLETIN ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ADOBE AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE, OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. IN NO EVENT SHALL ADOBE, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION, OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADOBE, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE. Adobe reserves the right, from time to time, to update the information in this document with current information. - -------------------------------------------------------------- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR9ii5yh9+71yA2DNAQK1rgP8DKCXZNM0aczIu58OWSlB31uimX9EHTa1 Sz5h4VXvd2tiE/SRhL35h0g2ldqnXUf4BcIRbx2u3DKZEqewhK4mNBMzqN/AAvmp 7TyIDXZnKJN/4spJh29zb+8WDzZ9mhS4NclZgGSte8ygOhzPf4rXEc4jZg0dGDf9 d8E5ExCQjxU= =m3Wj -----END PGP SIGNATURE-----