Several issues affecting Flash Player which can lead to arbitrary code execution have been disclosed. The most serious issue is an input validation bug with the player that can lead to arbitrary code execution when a malicious flash file is loaded.

It has also been disclosed that it is possible to use Flash in the development and execution of extended XSS-style and CSRF attacks.

Description:

Several serious issues have been identified and patched in the Adobe Flash Player and supporting products. An attacker that is successfully able to attack these vulnerabilities will be able to take control over vulnerable systems. In order to successfully take over a system, the victim must be convinced to interact with a malicious Flash document.

Mitigation:

Update to the latest Flash player as soon as possible. Alternatively, disable support for the Flash player until patches can be applied.

Updates:

http://www.adobe.com/go/getflash

Source:

http://www.adobe.com/support/security/bulletins/apsb07-12.html http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html

Exploits:

CVE-ID: CVE-2007-2022 CVE-ID: CVE-2007-3456 CVE-ID: CVE-2007-3457