|
Security Advisory : CT12-09-2006
Adobe/Macromedia Flash Player -
Remote Code Execution
| Severity: |
Critical
|
| Impact: |
Remote System
Access |
| Solution Status: |
Vendor Patch |
| CVE
Reference:
|
CVE-2006-3311 |
|
Advisory Date: |
12th September
2006 |
| |
|
|
Affected Software: |
Adobe Flash
Player 8.0.24.0 and earlier versions
Adobe Flash Professional 8, Flash Basic
Adobe Flash MX 2004
Adobe Flex 1.5 |
1. OVERVIEW
Adobe/Macromedia Flash Player is the world's most ubiquitous Browser plug-in
for Microsoft, Mozilla and Apple technologies. The plug-in claims to
facilitate
high-impact web interfaces and interactive online advertising for circa 98%
of
desktops globally.
Unfortunately, it transpires that Adobe Flash Player is prone to a remote
arbitrary code execution vulnerability, that allows an attacker to gain
control of a target system through the simple invocation of a maliciously
constructed web page.
2. TECHNICAL NARRATIVE
The vulnerability originates out of Flash's failure to sufficiently handle
large dynamically generated strings at run time. As a result, it is possible
(using rudimentary Action Script) to create a .swf movie in such a way that
when processed by the Plug-in, will overwrite system memory at an explicit
location.
More specifically, the aforementioned location can (with a certain degree of
accuracy) be attacker controlled via the direct manipulation of the overall
length of the generated string.
The net result is that of a partially controllable condition, which opens
the
door to a multitude of differing exploitation vectors, including but not
limited to heap/stack overwrites, and/or 3rd party race conditions.
3. EXPLOITATION
Computer Terrorism (UK) can confirm the un-disclosed production of a
reliable
multi-platform & multi-browser Web based Proof-Of-Concept (PoC). Such an
exploit could be used in a web-based attack scenario, where unsuspecting
users are lured to a maliciously constructed website.
4. VENDOR RESPONSE
The vendor security bulletin and corresponding patches are available at the
following location:
http://www.adobe.com/go/apsb06-11/
5. DISCLOSURE ANALYSIS
12/05/2006 - Preliminary Vendor
notification.
18/05/2006 - Vulnerability confirmed in pre-release Flash 9, and earlier
versions
28/06/2006 - Flash Player 9 released (Fixed)
31/07/2006 - Public Disclosure deferred by Vendor.
12/09/2006 - Coordinated public release.
Total Time to Fix: 4 months (123 days)
6. CREDIT
The vulnerability was discovered
by Stuart Pearson
Computer Terrorism (UK) :: Incident Response Centre.
Home |
Contact Us |
Services |
News |
