Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0249 -- [Win][UNIX/Linux]
Adobe Security Bulletins - March 2008
13 March 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ColdFusion MX 7
ColdFusion 8
Adobe Form Designer 5.0
Adobe Advanced Form Client 5.0
LiveCycle Workflow 6.2
Adobe Reader 8.1.2 for Unix
Flash Player
Publisher: Adobe
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact: Execute Arbitrary Code/Commands
Increased Privileges
Modify Arbitrary Files
Delete Arbitrary Files
Cross-site Scripting
Reduced Security
Access: Remote/Unauthenticated
CVE Names: CVE-2007-6637 CVE-2007-6253 CVE-2007-6243
CVE-2007-5275 CVE-2007-4324 CVE-2008-0643
CVE-2008-0644 CVE-2008-0883 CVE-2008-1202
CVE-2008-1203
Ref: ESB-2008.0007
Revision History: March 13 2008: Added additional CVEs
March 12 2008: Updated to include CVE for privilege
escalation issue in Adobe Reader 8.1.2
for Unix
March 12 2008: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- --------------------------------------------------------------
Adobe Security Bulletins:
- - Update available for potential ColdFusion MX 7 and
ColdFusion 8 Cross Site Scripting security issue
- - Update available for ColdFusion MX 7 and ColdFusion 8
Cross-Site Scripting issue
- - Update available for ColdFusion MX 7 and ColdFusion 8
logs invalid admin interface log-in attempts
- - Update available to resolve critical vulnerabilities in
Adobe Form Designer 5.0 and Adobe Advanced Form Client 5.0
Components
- - Update available for potential LiveCycle Workflow 6.2
Cross Site Scripting security issue
Adobe Security Advisory:
- - Privilege escalation issue in Adobe Reader 8.1.2 for Unix
Adobe Customer Advisory:
- - Upcoming Flash Player Update: Mitigating Potential Impact
on SWF Content
- --------------------------------------------------------------
APSB08-06 - Update available for potential ColdFusion MX 7
and ColdFusion 8 Cross Site Scripting security issue
Originally posted: March 11, 2008
Summary:
A potential vulnerability in ColdFusion MX7 and ColdFusion
8 could allow an attacker to execute cross-site scripting
attack. This issue is specific to ColdFusion and Windows
IIS 6 installations.
Severity Rating:
Adobe categorizes this update as important
http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl
Adobe recommends that users apply this update to their
installations. Learn more:
http://direct.adobe.com/r?xJPJcTvEPcTcEcHHqJcHn
- --------------------------------------------------------------
APSB08-07 - Update available for ColdFusion MX 7 and
ColdFusion 8 Cross-Site Scripting issue
Originally posted: March 11, 2008
Summary:
A vulnerability in ColdFusion 8 and ColdFusion MX 7 could
allow an attacker to bypass ColdFusion's cross-site
scripting protection for certain ColdFusion applications.
Only ColdFusion applications where the Application.cfm or
Application.cfc contains the setEncoding function would
be vulnerable to this attack.
Severity Rating:
Adobe categorizes this update as important
http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl
Adobe recommends that users apply this update to their
installations. Learn more:
http://direct.adobe.com/r?xJPJcTvEPcTJEcHHqJcHT
- --------------------------------------------------------------
APSB08-08 - Update available for ColdFusion MX 7 and
ColdFusion 8 logs invalid admin interface log-in attempts
Originally posted: March 11, 2008
Summary:
A design error in ColdFusion 8 and ColdFusion MX 7 could
make it more likely that an attacker could attempt to log
in to the admin interface undetected since failed log-in
attempts were not previously logged.
Severity Rating:
Adobe categorizes this update as moderate
http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl
Adobe recommends that users apply this update to their
installations. Learn more:
http://direct.adobe.com/r?xJPJcTvEPcTlEcHHqJcHv
- --------------------------------------------------------------
APSB08-09 - Update available to resolve critical
vulnerabilities in Adobe Form Designer 5.0 and Adobe Form
Client 5.0 Components
Originally posted: March 11, 2008
Summary:
Critical vulnerabilities have been identified in Form
Designer 5.0 and Form Client 5.0 that could allow an
attacker who successfully exploits these vulnerabilities
to take control of the affected system. A malicious html
file must be loaded in the web browser by the end user for
an attacker to exploit these vulnerabilities. It is
recommended users update their installations using the
instructions below.
Severity Rating:
Adobe categorizes this update as critical
http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl
Adobe recommends that users apply this update to their
installations. Learn more:
http://direct.adobe.com/r?xJPJcTvEPcTPEcHHqJcHW
- --------------------------------------------------------------
APSB08-10 - Update available for potential LiveCycle
Workflow 6.2 Cross Site Scripting security issue
Originally posted: March 11, 2008
Summary:
A potential vulnerability in LiveCycle Workflow 6.2 could
allow an attacker to execute a cross-site scripting attack.
Severity Rating:
Adobe categorizes this update as important
http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl
Adobe recommends that users apply this update to their
installations. Learn more:
http://direct.adobe.com/r?xJPJcTvEPcTnEcHHqJcHq
- --------------------------------------------------------------
APSA08-02 - Privilege escalation issue in Adobe Reader 8.1.2
for Unix
Originally posted: March 11, 2008
Adobe is aware of a recently published report of a privilege
escalation issue in AdobeReader 8.1.2 for Unix. The launcher
script for Adobe Reader 8.1.2 for Unix couldpotentially
allow a malicious local user to escalate their privileges
and potentially modify or delete arbitrary files.
Severity Rating:
Adobe categorizes these issues as moderate
http://direct.adobe.com/r?xJPJcTvEPcPcEcHHqJcHl
Adobe recommends that users apply the relevant updates to
their installations. Learn more:
http://direct.adobe.com/r?xJPJcTvEPcTTEcHHqJccH
- --------------------------------------------------------------
Customer Advisory - Upcoming Flash Player Update: Mitigating
Potential Impact on SWF Content
Adobe is planning to release a security update to Flash
Player in April 2008 that will provide further mitigations
for previously disclosed issues.
Adobe is giving advanced notice to our customers as these
security enhancements may impact existing SWF content for
some customers. Adobe recommends customers using SWF
content on their websites review the upcoming Flash Player
updates as described in the following Adobe Developer
Connection article to determine if their content will be
impacted, and to begin implementing necessary changes
immediately to help ensure a seamless transition:
http://direct.adobe.com/r?xJPJcTvEPcTvEcHHqJccc
The upcoming Flash Player update will provide further
mitigations for DNS Rebinding (CVE-2007-5275), cross-
domain policy file (CVE-2007-6243), and port-scanning
(CVE-2007-4324) issues listed in Security Bulletin
APSB07-20 (originally posted on December 18, 2007) and the
cross-site scripting issues (CVE-2007-6637) listed in
Security Advisory APSA07-06 (originally posted on December
23, 2007).
- --------------------------------------------------------------
ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS, OR FIXES
PROVIDED BY ADOBE IN THIS BULLETIN ARE PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. ADOBE AND ITS SUPPLIERS
DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR
OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO
WARRANTY OF NON-INFRINGEMENT, TITLE, OR QUIET ENJOYMENT.
(USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF
IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY
TO YOU. IN NO EVENT SHALL ADOBE, INC. OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT
LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS
INTERRUPTION, OR THE LIKE, OR LOSS OF BUSINESS DAMAGES,
BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF
CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE),
PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADOBE, INC. OR ITS
SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES
DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION
OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE
OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.
Adobe reserves the right, from time to time, to update
the information in this document with current information.
- --------------------------------------------------------------
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR9ii5yh9+71yA2DNAQK1rgP8DKCXZNM0aczIu58OWSlB31uimX9EHTa1
Sz5h4VXvd2tiE/SRhL35h0g2ldqnXUf4BcIRbx2u3DKZEqewhK4mNBMzqN/AAvmp
7TyIDXZnKJN/4spJh29zb+8WDzZ9mhS4NclZgGSte8ygOhzPf4rXEc4jZg0dGDf9
d8E5ExCQjxU=
=m3Wj
-----END PGP SIGNATURE-----