Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > May 2008 > 3620 - Adobe Flash player code execution vulnerability UPDATED

May 2008

3620 - Adobe Flash player code execution vulnerability UPDATED

ID: 3620
Date: 28/05/2008
Title: 3620 - Adobe Flash player code execution vulnerability UPDATED
Platform level affected:Net Application - Client
Specific operating systems components affected: 32-bit Windows
Net-enabled software: Enterprise Application
Other software: Web Browser
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Adobe
Applications affected:Adobe Flash player
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: User Interaction
Warning Status: Active
Potential Damage: Remote execution/modification
Possible Duration: Unknown
Availability of fix: Future
Type of fix: Patch
Source: US-CERT
Reliability of source: Trusted
Source URL: http://www.kb.cert.org/vuls/id/395473
Abstract: Description of a vulnerability in Adobe Flash Player that may allow an attacker to run code on a vulnerable system. There are reports that this vulnerability is being actively exploited.

US-CERT Vulnerability Note VU#395473

Adobe Flash player code execution vulnerability

29/5/08 Additional CSIRT comment:

Update from Adobe PSIRT at http://blogs.adobe.com/psirt/2008/05/

Here is an update on our progress investigating the recent reports of a potential Flash Player exploit in the wild. The exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0 (CVE-2007-0071). This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere - customers with Flash Player 9.0.124.0 should not be vulnerable to this exploit. We are still looking in to the exploit files, and will update everyone with further information as we get it, but for now, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0.

UPDATE: We have just gotten confirmation from Symantec that all versions of Flash Player 9.0.124.0 are not vulnerable to these exploits. Again, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0. To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select About Adobe (or Macromedia) Flash Player from the menu. Customers using multiple browsers are advised to perform the check for each browser installed on their system and update if necessary.

Thanks to Symantec for working very closely with us over the last 2 days to confirm that this is not a zero-day issue, and to Mark Dowd and wushi for originally reporting this issue.

**************** Original content *********************

Overview

  Adobe Flash contains a vulnerability that may allow an attacker to run code
  on a vulnerable system. There are reports that this vulnerability is being
  actively exploited.

I. Description

  The Adobe Flash Player is a player for the Flash media format and enables
  frame-based animations and multimedia to be viewed within a web browser.

  Adobe Flash Player contains an code execution vulnerability. An attacker may
  be able to trigger this overflow by convincing a user to open a specially
  crafted SWF file. The SWF file could be hosted or imbedded in a web page.
  If an attacker can take control of a web site or web server, this
  vulnerability may be exploited by trusted sites.

II. Impact

  A remoted, unauthenticated attacker may be able to execute arbitrary code.

III. Solution

  We are currently unaware of a solution to this problem.

  Workarounds for administrators

    * Ensure that security updates are applied to software running on the
      server.
    * Reverse proxy servers and web application firewalls may be able to
      detect and block some attacks.
    * Administrators and web developers should confirm that third parties
      (such as ad providers) hosting content on their domain are not acting
      as attack vectors for this vulnerability.

  Workarounds for users

    * Using the Mozilla Firefox NoScript extension to whitelist web sites
      that can run scripts and access installed plugins may prevent this
      vulnerability from being exploited. Note that NoScript is not likely to
      stop all attack vectors for this vulnerability, see the NoScript FAQ for
      more information.

Systems Affected

  Vendor Status         Date Updated
  Adobe         Vulnerable 27-May-2008

References

  http://isc.sans.org/diary.html?storyid=4465
  http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue.html
  http://www.securityfocus.com/bid/29386
  http://noscript.net/
  http://www.stopbadware.org/home/security
  http://www.owasp.org/index.php/Web_Application_Firewall
  http://ddanchev.blogspot.com/2008/05/malware-attack-exploiting-flash-zero.html

Credit

  Thanks to SANS for information that was used in this report.

  This document was written by Ryan Giobbi.

Other Information

  Date Public 05/27/2008
  Date First Published 05/27/2008 06:20:57 PM
  Date Last Updated 05/27/2008
  CERT Advisory 
  CVE Name 
  US-CERT Technical Alerts 
  Metric 65.81
  Document Revision 18

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.

Thu, 29 May 2008 11:51:00 GMT
Domain affected: Technical
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |