Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Multiple Vulnerabilities in Adobe Flash Player and Adobe AIR

 

Systems Affected



Adobe Flash Player 14.0.0.125 and earlier versions for Windows
Adobe Flash Player 14.0.0.125 and earlier versions for Macintosh
Adobe Flash Player 11.2.202.378 and earlier versions for Linux
Adobe AIR 14.0.0.110 SDK & Compiler and earlier versions
Adobe AIR 14.0.0.110 SDK and earlier version
Adobe AIR 14.0.0.110 and earlier versions for Android
Adobe AIR versions 14.0.0.110 and prior for SDK and Compiler, and Android
Adobe Flash Player 14.0.0.125 and earlier for Chrome (Windows, Macintosh and Linux)
Adobe Flash Player 14.0.0.125 and earlier in Internet Explorer 10 for Windows 8.0
Adobe Flash Player 14.0.0.125 and earlier in Internet Explorer 11 for Windows 8.1

Threat Level


High


Overview


Multiple vulnerabilities have been reported in Adobe Flash Player and Adobe AIR which could allow an unauthenticated remote attacker to conduct cross site request forgery(CSRF) attack or bypass security restrictions to gain access to the sensitive information on a targeted system.


Description


1. Cross Site Request Forgery Attack Vulnerability ( CVE-2014-4671 )
CSRF attack vulnerability exists due to unspecified vectors in Adobe Flash Player and Adobe AIR. A remote attacker could exploit this vulnerability by creating a specially crafted, all alphanumeric SWF file and processed it via target JSONP callback API. Successful exploitation of this vulnerability could allow an attacker to bypass same origin policy security restrictions and initiate arbitrary request to the target domain leading to the data transfer to the remote user.

2. Security Bypass vulnerability ( CVE-2014-0537 CVE-2014-0539 )
These vulnerabilities exist due to unspecified errors in Adobe Flash player and Adobe AIR. A remote attacker could exploit these vulnerabilities by enticing a user to load specially crafted flash content. Successful exploitation of this vulnerability could allow an attacker to bypass security restrictions and gain access to sensitive information.


Impact



Solution/ Workarounds


Apply appropriate patches as mentioned in Adobe Security Bulletin APSB14-17


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.