Security Advisory : CT12-09-2006

Adobe/Macromedia Flash Player - Remote Code Execution
 

Severity: Critical
Impact: Remote System Access
Solution Status: Vendor Patch
CVE Reference: CVE-2006-3311
Advisory Date: 12th September 2006
   

Affected Software:

Adobe Flash Player 8.0.24.0 and earlier versions
Adobe Flash Professional 8, Flash Basic
Adobe Flash MX 2004
Adobe Flex 1.5



1. OVERVIEW

Adobe/Macromedia Flash Player is the world's most ubiquitous Browser plug-in
for Microsoft, Mozilla and Apple technologies. The plug-in claims to facilitate
high-impact web interfaces and interactive online advertising for circa 98% of
desktops globally.

Unfortunately, it transpires that Adobe Flash Player is prone to a remote
arbitrary code execution vulnerability, that allows an attacker to gain
control of a target system through the simple invocation of a maliciously
constructed web page.
 

2. TECHNICAL NARRATIVE

The vulnerability originates out of Flash's failure to sufficiently handle
large dynamically generated strings at run time. As a result, it is possible
(using rudimentary Action Script) to create a .swf movie in such a way that
when processed by the Plug-in, will overwrite system memory at an explicit
location.

More specifically, the aforementioned location can (with a certain degree of
accuracy) be attacker controlled via the direct manipulation of the overall
length of the generated string.

The net result is that of a partially controllable condition, which opens the
door to a multitude of differing exploitation vectors, including but not
limited to heap/stack overwrites, and/or 3rd party race conditions.
 

3. EXPLOITATION

Computer Terrorism (UK) can confirm the un-disclosed production of a reliable
multi-platform & multi-browser Web based Proof-Of-Concept (PoC). Such an
exploit could be used in a web-based attack scenario, where unsuspecting
users are lured to a maliciously constructed website.
 

4. VENDOR RESPONSE

The vendor security bulletin and corresponding patches are available at the
following location:

http://www.adobe.com/go/apsb06-11/

 

5. DISCLOSURE ANALYSIS

12/05/2006 - Preliminary Vendor notification.
18/05/2006 - Vulnerability confirmed in pre-release Flash 9, and earlier versions
28/06/2006 - Flash Player 9 released (Fixed)
31/07/2006 - Public Disclosure deferred by Vendor.
12/09/2006 - Coordinated public release.

Total Time to Fix: 4 months (123 days)


6. CREDIT

The vulnerability was discovered by Stuart Pearson


Computer Terrorism (UK) :: Incident Response Centre.




 

Home | Contact Us | Services | News

   

CT09-01-2007
Microsoft Outlook
Vulnerability
...........................................


CT12-09-2006
Adobe Flash Player
Vulnerability
...........................................

 


CT12-09-2006-2
Microsoft Publisher

Font Parsing Vulnerability
...........................................

 


CT22-03-2006
Microsoft Internet Explorer CreateText-Range
Vulnerability

...........................................

 


CT21-11-2005
Internet Explorer Javascript Window() Vulnerability

...........................................

 


CT21-11-2005 PoC
...........................................

 


MS Jet Exploit (unpatched)
...........................................

 


Forthcoming advisories
...........................................