[ISN] Vast security risk from Flash hole
InfoSec News
isn at c4i.org
Tue Nov 8 03:16:28 EST 2005
http://www.techworld.com/security/news/index.cfm?NewsID=4740
By Matthew Broersma
Techworld
07 November 2005
Macromedia has warned of a critical bug in its Flash Player - one of
the most widely used pieces of software on the desktop - that could
allow attackers to take over a system.
eEye, the security research firm co-credited with discovering the bug,
said it had demonstrated "reliable exploitation" using the bug in the
Internet Explorer browser, but other browsers are also said to be just
as open to attack. Macromedia also credited Sec Consult with the
discovery.
The flaw affects all Windows versions of Flash Player 6.x and Flash
Player 7.0.19.0 and earlier, but has already been addressed in Flash
Player 8 (8.0.22.0), according to eEye. Macromedia recommended
upgrading to Flash Player 8 but also released an update to Flash
Player 7 fixing the bug. Flash Player 8 isn't supported by older
operating systems such as Windows 95 and Windows NT.
The bug is due to missing validation of the frame type identifier read
from a SWF file, which could be used to force the player to use
attacker-supplied values as function pointers, according to eEye.
Exploitation via a malicious SWF file could allow an attacker to
execute malicious code with the same privileges as the user running
Flash Player.
"There was a problem with bounds validation for indexes of certain
arrays in Flash Player 7 and earlier, leaving open the possibility
that a third party could inject unauthorised code that would have been
executed by Flash Player," Macromedia said in its advisory.
Secunia, which operates a vulnerabilities database, gave the bug a
"highly critical" rating. As of Monday morning, Secunia said the flaw
had been confirmed using Opera and Internet Explorer browsers.
More information about the ISN
mailing list