On Sunday 19 March 2006 06:40, David Eisenstein wrote: > Hi folks, > > "There are critical vulnerabilities in Macromedia Flash player and > related software. Exploitation of these vulnerabilities could allow a > remote, unauthenticated attacker to execute arbitrary code or cause a > denial of service on a vulnerable system." > > For more detailed info, please see the forwarded message from CERT, > below. > > Although I don't believe that Fedora or Fedora Legacy provides any version > of Macromedia's Flash Player to our end users (as it's proprietary), end > users may still decide to download and install this free plugin ... so it > is good to know about this. I believe Flash is able to be used both with > Firefox and Mozilla. Perhaps KDE's Konqueror also can use Flash. > Someone who knows for sure about Konqueror, can you respond on the list > and let us know? Hi David. Just to let you know that the latest version of Flashplayer does work ok in Konqueror, on FC2. I tried it out on Jamie Cameron's Webmin site.http://www.webmin.com , and the link to his sister Lara Cameron's site, which requires Flash. Nigel. > > One workaround one can do to not be vulnerable is to disable Flash, at > least until a secure version can be installed. I use Mozilla-1.7.12. > What I do to disable flash (and I rarely have it enabled ;)) is: > > 1) Shut down your browser and (Mozilla-based) email program, if open. > 2) Do a '$ find /usr/lib -iname 'libflash*.so'. > 3) It may find the flash player (possibly named 'libflashplayer.so') > under any of these directories: > /usr/lib/mozilla/plugins/ > /usr/lib/mozilla-(version)/plugins > /usr/lib/firefox-(version)/plugins > 4) Wherever it finds the plugin .so (shared-object) file, then (as > root) either delete the file, or rename it to something your > browser will not find to load. I rename it to > 'no_libflashplayer.so.txt'. > 5) At this point, the flash player should be disabled, so when you > next start Mozilla and/or Firefox you should be safe from this > vulnerability. > > I make no warrantee that the above suggestions for disabling the flash > player will work for you. You take the above steps AT YOUR OWN RISK! > > If anyone has a better way to suggest disabling the Macromedia Flash > player, will you please respond to this message with your suggestion(s)? > Thanks. > > For those of you already aware of this, my apologies for the duplication. > > Regards, > David Eisenstein > > ---------- Forwarded message ---------- > From: US-CERT Technical Alerts <technical-alerts@xxxxxxxxxxx> > To: technical-alerts@xxxxxxxxxxx > Date: Thu, 16 Mar 2006 18:13:56 -0500 > Subject: US-CERT Technical Cyber Security Alert TA06-075A -- Adobe > Macromedia Flash Products Multiple Vulnerabilities > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > National Cyber Alert System > > Technical Cyber Security Alert TA06-075A > > > Adobe Macromedia Flash Products Contain Vulnerabilities > > Original release date: March 16, 2006 > Last revised: -- > Source: US-CERT > > > Systems Affected > > Microsoft Windows, Apple Mac OS X, Linux, Solaris, or other operating > systems with any of the following Adobe Macromedia products installed: > * Flash Player 8.0.22.0 and earlier > * Flash Professional 8 > * Flash Basic > * Flash MX 2004 > * Flash Debug Player 7.0.14.0 and earlier > * Flex 1.5 > * Breeze Meeting Add-In 5.1 and earlier > * Adobe Macromedia Shockwave Player 10.1.0.11 and earlier > > For more complete information, refer to Adobe Security Bulletin > APSB06-03. > > > Overview > > There are critical vulnerabilities in Macromedia Flash player and > related software. Exploitation of these vulnerabilities could allow a > remote, unauthenticated attacker to execute arbitrary code or cause a > denial of service on a vulnerable system. > > > I. Description > > Adobe Security Bulletin APSB06-03 addresses vulnerabilities in > Macromedia Flash Player and related software. Further information is > available in the following US-CERT Vulnerability Note: > > VU#945060 - Adobe Macromedia Flash products contain multiple > vulnerabilities > > Several vulnerabilities in Adobe Macromedia Flash products may allow a > remote attacker to execute arbitrary code on a vulnerable system. > (CVE-2006-0024) > > Several operating systems, including Microsoft Windows (see Microsoft > Security Advisory 916208), have vulnerable versions of Flash installed > by default. Systems with Flash-enabled web browsers are vulnerable. An > attacker could host a specially crafted Flash file on a web site and > convince a user to visit the site. > > > II. Impact > > A remote, unauthenticated attacker could execute arbitrary code with > the privileges of the user. If the user is logged on with > administrative privileges, the attacker could take complete control of > an affected system. An attacker may also be able to cause a denial of > service. > > > III. Solution > > Apply Updates > > Adobe has provided the updates for these vulnerabilities in APBS06-03. > > Disable Flash > > Please see Microsoft Security Advisory 916208 for instructions on how > to disable Flash on Microsoft Windows. For other operating systems and > web browsers, please contact the appropriate vendor. > > > Appendix A. References > > * Macromedia - APSB06-03: Flash Player Update to Address Security > Vulnerabilities - > <http://www.macromedia.com/devnet/security/security_zone/apsb06-03 > .html> > > * US-CERT Vulnerability Note VU#945060 - > <http://www.kb.cert.org/vuls/id/945060> > > * CVE-2006-0024 - > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0024> > > * Microsoft Security Advisory (916208) - > <http://www.microsoft.com/technet/security/advisory/916208.mspx> > > > ____________________________________________________________________ > > The most recent version of this document can be found at: > > <http://www.us-cert.gov/cas/techalerts/TA06-075A.html> > ____________________________________________________________________ > > Feedback can be directed to US-CERT Technical Staff. Please send > email to <cert@xxxxxxxx> with "TA06-075A Feedback VU#945060" in the > subject. > ____________________________________________________________________ > > For instructions on subscribing to or unsubscribing from this > mailing list, visit <http://www.us-cert.gov/cas/signup.html>. > ____________________________________________________________________ > > Produced 2006 by US-CERT, a government organization. > > Terms of use: > > <http://www.us-cert.gov/legal.html> > ____________________________________________________________________ > > > Revision History > > Mar 16, 2006: Initial release > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (GNU/Linux) > > iQEVAwUBRBnrc30pj593lg50AQJh0Af/WnwWF6RIXfF6zpDCXMzkEjdaiWUSDa+g > utKrN8ZwUqKsPVw/uKR9vLwqWrWRYbTAsVjnFd1TBiBcasxAPIM4Y0u8sYCnXldB > NmpotYhMPiuIIh7t/2bGxaAwOB8yBZvN4GNGDarsiK243/nf0m8Y7e6t+XN5FY6V > nDp+q8mxiPN0T7Bh+ofeEX7m7SOEAza7kBwzsGgRSZzIkVmwH1+pBjPznmM1Zylh > UzpTPhmvKkQtuDJ3iG3P0J6hrNZqTukEcOh5VB9gRhfvzpavSa6sXoiI7+/zTADa > IJ8ZZZ6crFYmP/DTPeA9nbeCtQg/HAu+ty6ME/leVsHah3a16NWm4w== > =XJw+ > -----END PGP SIGNATURE-----