Adobe plans to release a new security update for the Flash Player on 9 April 2008. The update plans to fix the issues listed in the December 2007 Security Bulletin ABSP07-20 for DNS rebinding and cross-domain policy file vulnerabilities, and Security Advisory APSA07-06 for cross-site scripting vulnerabilities in SWFs.
Some of the notable changes:
- the socket xml file introduced by the 9,0,115,0 is now mandatory
- HTTP policy files will no longer permit socket access
These changes come from the need of better DNS hardening, to ensure that ActionScript cannot be used as a means for a DNS rebinding attack (as referenced in Security Bulletin ABSP07-20) that could result in an unauthorized socket connection.
The whole bulletin with all the updates is located here.
Tags: Flash, player, Security
This post was written by Virgil Cristea
Views: 1030
Articles
