Critical Vulnerability Fixed in Adobe Flash Player

NormCameron

Vista Guru
Critical Vulnerability Fixed in Adobe Flash Player
Recently, Adobe released a patch, which fixes multiple vulnerabilities for Adobe Flash Player.

Since Adobe Flash Player is used in enterprise environments and some of the reported vulnerabilities may allow code execution, my Binary Analysis team has spent some time analysing the patch in order to properly understand the fixed vulnerabilities.

In the advisory from Adobe, two vulnerabilities are listed as potential code execution vulnerabilities. For the first vulnerability (CVE-2009-0520), it is stated that a buffer overflow "could potentially allow an attacker to execute arbitrary code". For the second vulnerability (CVE-2009-0519), it is stated that an input validation error "leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible".

It turns out that at least one of them is quite nasty and does indeed allow remote code execution in a very reliable manner.

Due to the limited publicly available information, we cannot be certain whether the vulnerability analysed is CVE-2009-0520, CVE-2009-0519, or even a third, silently fixed vulnerability.

However, we are certain that the vulnerability is related to how callback functions are handled and may result in data in arbitrary memory being treated as an object. Secunia has furthermore developed a reliable, fully-working exploit (available to customers on the Secunia Binary Analysis service) that allows execution of arbitrary code as soon as a user views a malicious web page.

That a vulnerability, which is so reliable and simple to exploit, exists in Adobe Flash Player is especially disturbing when looking at how many users are not running the latest version.

In our 2008 Report, we conclude that Adobe Flash Player is one of the applications that users often neglect to keep fully updated. According to results from our Secunia Software Inspector solutions, almost half of the installations (48 percent) running Adobe Flash Player 9.x were not running the latest version.

It is quite plausible that we may start seeing attacks exploiting this vulnerability in the near future. We therefore strongly recommend users to ensure that they have updated to the latest version of Adobe Flash Player. If you are a home-user and unsure if your system is properly patched, then our PSI solution can help you answer this question (companies can obtain our commercial version by contacting our sales department).

Similarly, security vendors and large enterprises creating their own custom IDS/IPS signatures can obtain detailed information about the vulnerability via our Binary Analysis service to ensure that their security products are able to detect exploit attempts.

Critical Vulnerability Fixed in Adobe Flash Player - Blog - new entry! - Secunia.com

Norm[FONT=&quot]
[/FONT]
 

My Computer

System One

  • Manufacturer/Model
    Scratch Built
    CPU
    Intel Quad Core 6600
    Motherboard
    Asus P5B
    Memory
    4096 MB Xtreme-Dark 800mhz
    Graphics Card(s)
    Zotac Amp Edition 8800GT - 512MB DDR3, O/C 700mhz
    Monitor(s) Displays
    Samsung 206BW
    Screen Resolution
    1680 X 1024
    Hard Drives
    4 X Samsung 500GB 7200rpm Serial ATA-II HDD w. 16MB Cache .
    PSU
    550 w
    Case
    Thermaltake
    Cooling
    3 x octua NF-S12-1200 - 120mm 1200RPM Sound Optimised Fans
    Keyboard
    Microsoft
    Mouse
    Targus
    Internet Speed
    1500kbs
    Other Info
    Self built.
Back
Top