Security Advisory : CT12-09-2006
Adobe/Macromedia Flash Player -
Remote Code Execution
Player 18.104.22.168 and earlier versions
Adobe Flash Professional 8, Flash Basic
Adobe Flash MX 2004
Adobe Flex 1.5
Adobe/Macromedia Flash Player is the world's most ubiquitous Browser plug-in
for Microsoft, Mozilla and Apple technologies. The plug-in claims to
high-impact web interfaces and interactive online advertising for circa 98%
Unfortunately, it transpires that Adobe Flash Player is prone to a remote
arbitrary code execution vulnerability, that allows an attacker to gain
control of a target system through the simple invocation of a maliciously
constructed web page.
2. TECHNICAL NARRATIVE
The vulnerability originates out of Flash's failure to sufficiently handle
large dynamically generated strings at run time. As a result, it is possible
(using rudimentary Action Script) to create a .swf movie in such a way that
when processed by the Plug-in, will overwrite system memory at an explicit
More specifically, the aforementioned location can (with a certain degree of
accuracy) be attacker controlled via the direct manipulation of the overall
length of the generated string.
The net result is that of a partially controllable condition, which opens
door to a multitude of differing exploitation vectors, including but not
limited to heap/stack overwrites, and/or 3rd party race conditions.
Computer Terrorism (UK) can confirm the un-disclosed production of a
multi-platform & multi-browser Web based Proof-Of-Concept (PoC). Such an
exploit could be used in a web-based attack scenario, where unsuspecting
users are lured to a maliciously constructed website.
4. VENDOR RESPONSE
The vendor security bulletin and corresponding patches are available at the
5. DISCLOSURE ANALYSIS
12/05/2006 - Preliminary Vendor
18/05/2006 - Vulnerability confirmed in pre-release Flash 9, and earlier
28/06/2006 - Flash Player 9 released (Fixed)
31/07/2006 - Public Disclosure deferred by Vendor.
12/09/2006 - Coordinated public release.
Total Time to Fix: 4 months (123 days)
The vulnerability was discovered
by Stuart Pearson
Computer Terrorism (UK) :: Incident Response Centre.
Contact Us |