[Full-disclosure] Computer Terrorism (UK) :: Incident Response Centre - Adobe/Macromedia Flash Player Vulnerability

From: "CTUK :: Incident Response Centre" <advisories@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Sep 2006 21:07:32 +0100

Computer Terrorism (UK) :: Incident Response Centre

www.computerterrorism.com

Security Advisory: CT12-09-2006

============================================
Adobe/Macromedia Flash Player - Remote Code Execution
============================================

Advisory Date: 12th, September 2006

Severity: Critical
Impact: Remote System Access
Solution Status: Vendor Patch

CVE Reference: CVE-2006-3311

Affected Software
=================

Adobe Flash Player 8.0.24.0 and earlier versions
Adobe Flash Professional 8, Flash Basic
Adobe Flash MX 2004
Adobe Flex 1.5

Note: All OS Platforms are vulnerable

1. OVERVIEW
===========

Adobe/Macromedia Flash Player is the world's most ubiquitous Browser plug-in for Microsoft, Mozilla and Apple technologies. The plug-in claims to facilitate
high-impact web interfaces and interactive online advertising for circa 98% of desktops globally.

Unfortunately, it transpires that Adobe Flash Player is prone to a remote arbitrary code execution vulnerability, that allows an attacker to gain control of a target system through the simple invocation of a maliciously constructed web page.

2. TECHNICAL NARRATIVE
======================

The vulnerability originates out of Flash's failure to sufficiently handle large dynamically generated strings at run time. As a result, it is possible (using rudimentary Action Script) to create a .swf movie in such a way that when processed by the Plug-in, will overwrite system memory at an explicit location.

More specifically, the aforementioned location can (with a certain degree of accuracy) be attacker controlled via the direct manipulation of the overall length of the generated string.

The net result is that of a partially controllable condition, which opens the door to a multitude of differing exploitation vectors, including but not limited to heap/stack overwrites, and/or 3rd party race conditions.

3. EXPLOITATION
===============

Computer Terrorism (UK) can confirm the un-disclosed production of a reliable multi-platform & multi-browser Web based Proof-Of-Concept (PoC). Such an
exploit could be used in a web-based attack scenario, where unsuspecting users are lured to a maliciously constructed website.

Users that have not already done so are strongly advised to upgrade to the latest version of Flash Player or apply the appropriate fix for their particular version.

4. VENDOR RESPONSE
==================

The vendor security bulletin and corresponding patches are available at the
following location:

http://www.adobe.com/go/apsb06-11/

5. DISCLOSURE ANALYSIS
======================

12/05/2006 Preliminary Vendor notification.
18/05/2006 Vulnerability confirmed in pre-release Flash 9, and earlier versions
28/06/2006 Flash Player 9 released (Fixed)
31/07/2006 Public Disclosure Deferred by Vendor.
12/09/2006 Coordinated public release.

Total Time to Fix: 4 months (123 days)

6. CREDIT
=========

The vulnerability was discovered by Stuart Pearson of Computer Terrorism

===================
About Computer Terrorism
===================

Computer Terrorism (UK) Ltd is a global provider of Digital Risk Intelligence services. Our unique approach to vulnerability risk assessment and mitigation has helped protect some of the worlds most at risk organisations.

Headquartered in London, Computer Terrorism has representation throughout Europe & North America and can be reached at +44 (0) 870 250 9866 or email:-

sales [at] computerterrorism.com

To learn more about our services and to register for a FREE comprehensive website penetration test, visit: http:/www.computerterrorism.com

Computer Terrorism (UK) :: Protection for a vulnerable world.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Computer Terrorism (UK) :: Incident Response Centre - Microsoft Publisher Font Parsing Vulnerability
Next by Date: RE: [Full-disclosure] Session Token Remains Valid After Logout in IBM Lotus Domino Web Access
Previous by thread: [Full-disclosure] Computer Terrorism (UK) :: Incident Response Centre - Microsoft Publisher Font Parsing Vulnerability
Next by thread: [Full-disclosure] [EEYEB-20080824] Internet Explorer Compressed Content URL Heap Overflow Vulnerability #2
Index(es):
- Date
- Thread

Relevant Pages

Computer Terrorism (UK) :: Incident Response Centre - Adobe/Macromedia Flash Player Vulnerabilit
... Adobe/Macromedia Flash Player - Remote Code Execution ... Adobe Flash Professional 8, Flash Basic ... The vulnerability originates out of Flash's failure to sufficiently handle ... Computer Terrorism can confirm the un-disclosed production of a reliable ...
(Bugtraq)
[NT] Internet Explorer Bundled Flash Player Code Execution (MS06-020)
... Internet Explorer Bundled Flash Player Code Execution ... Microsoft Internet Explorer 6 by default. ... A remote code execution vulnerability exists in Macromedia Flash Player ... Applications and Web sites that require the Flash ...
(Securiteam)
Re: bought a used computer
... I installed the Adobe flash player 9 and it shows ... Go back to the control panel> add/remove programs and uninstall Adobe Flash ... Than use the uninstaller tool from Adobe ...
(microsoft.public.windowsxp.newusers)
Re: Internet Explorer 7 Flash Player
... try uninstalling Macromedia Flash Player with Adobe Flash ... "Common Adobe Flash Player install issues ". ...
(microsoft.public.windows.inetexplorer.ie6.browser)
Re: Cant play videos
... When I go to "view objects", there is no Adobe Flash Active X entry listed. ... In my control panel, "add remove programs", Adobe Flash Player Active X is ... There is a flash entry named "uninstall activeX ...
(microsoft.public.windowsxp.general)