CERT-In Vulnerability Note CIVN-2008-149
Adobe Flash Player Clipboard Security Vulnerability

Original Issue Date:October 03, 2008
Updated: October 17, 2008

Severity Rating: High

Systems Affected

• Adobe Flash Player prior to version 10

Overview

A vulnerability has been reported in Adobe Flash Player, which could allow attackers to inject arbitrary content into a user's clipboard.

Description

The vulnerability exists in Adobe Flash Player, which could allow remote attackers to inject arbitrary content into a user's clipboard. The issue is due to ActionScript being able to set data on the system clipboard at any time. The System.setClipboard() method in Adobe Flash Player allows attackers to populate the clipboard with a URL that is difficult to delete.

Exploit for this vulnerability has been reported.

Workaround

This issue is addressed in Adobe Flash Player 10 beta
http://www.adobe.com/go/DLFXP

Solution

Update to version 10.0.12.36

http://www.adobe.com/shockwave/download/download.cgi?
P1_Prod_Version=ShockwaveFlash
http://www.adobe.com/shockwave/download/download.cgi?
P1_Prod_Version=ShockwaveFlash &P2_Platform=Linux


Vendor Information

Adobe
http://labs.adobe.com/downloads/flashplayer10.html
http://www.adobe.com/support/security/bulletins/apsb08-18.html

References

PSIRT
http://blogs.adobe.com/psirt/2008/09/clipboard_attack_update.html

Security Focus
http://www.securityfocus.com/bid/31117

Juniper Networks
http://www.juniper.net/security/auto/vulnerabilities/vuln31117.html

CVE Name
CVE-2008-3873

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003