[NT] Adobe/Macromedia Flash Player Code Execution (Action Script)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Adobe/Macromedia Flash Player Code Execution (Action Script)
------------------------------------------------------------------------


SUMMARY

Adobe/Macromedia Flash Player is "the world's most ubiquitous Browser
plug-in for Microsoft, Mozilla and Apple technologies. The plug-in claims
to facilitate high-impact web interfaces and interactive online
advertising for circa 98% of desktops globally".

Unfortunately, it transpires that Adobe Flash Player is prone to a remote
arbitrary code execution vulnerability, that allows an attacker to gain
control of a target system through the simple invocation of a maliciously
constructed web page.

DETAILS

Vulnerable Systems:
* Adobe Flash Player 8.0.24.0 and earlier versions
* Adobe Flash Professional 8, Flash Basic
* Adobe Flash MX 2004
* Adobe Flex 1.5

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3311>
CVE-2006-3311

The vulnerability originates out of Flash's failure to sufficiently handle
large dynamically generated strings at run time. As a result, it is
possible (using rudimentary Action Script) to create a .swf movie in such
a way that when processed by the Plug-in, will overwrite system memory at
an explicit location.

More specifically, the aforementioned location can (with a certain degree
of accuracy) be attacker controlled via the direct manipulation of the
overall length of the generated string.

The net result is that of a partially controllable condition, which opens
the door to a multitude of differing exploitation vectors, including but
not limited to heap/stack overwrites, and/or 3rd party race conditions.

Vendor response:
The vendor security bulletin and corresponding patches are available at
the following location: <http://www.adobe.com/go/apsb06-11/>
http://www.adobe.com/go/apsb06-11/

Disclosure Timeline:
12/05/2006 - Preliminary Vendor notification.
18/05/2006 - Vulnerability confirmed in pre-release Flash 9, and earlier
versions
28/06/2006 - Flash Player 9 released (Fixed)
31/07/2006 - Public Disclosure deferred by Vendor.
12/09/2006 - Coordinated public release.

Total Time to Fix: 4 months (123 days)


ADDITIONAL INFORMATION

The information has been provided by Stuart Pearson.
The original article can be found at:
<http://www.computerterrorism.com/research/ct12-09-2006.htm>
http://www.computerterrorism.com/research/ct12-09-2006.htm



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages