Published:2010/11/09 Last Updated:2010/11/09
JVN#48425028
Flash Player access restriction bypass vulnerability
Overview
Flash Player contains an access restriction bypass vulnerability.
Products Affected
- Adobe Flash Player 10.1.85.3 and earlier for Windows, Macintosh, Linux, and Solaris
- Adobe Flash Player 10.1.95.1 for Android
Description
When Flash Player references a different website than the site where Flash contents are hosted, the referenced site must be allowed access by the cross-domain policy file.
Flash Player contains a vulnerability where access restrictions set by the cross-domain policy file may be bypassed.
Impact
Cross-domain policy restrictions can be bypassed by using a specially crafted web page. This could result in unauthorized access to website data.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Adobe | Security update available for Adobe Flash Player (APSB10-26) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2010.11.09
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file |
|
| Exploit Complexity | some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls) |
|
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2010-3636 |
| JVN iPedia |
JVNDB-2010-000054 |