CERT-In Advisory
CIAD-2008-0061
Multiple Vulnerabilities in Adobe Flash player
Original Issue Date: November 18, 2008
Updated: December 22, 2008
Severity Rating: High
Systems Affected
- Adobe Flex 3.0
- Adobe Flash CS4 Professional 0
- Adobe Flash Player 9.0.124.0 and prior versions
Overview
Multiple vulnerabilities have been reported in Adobe Flash Player that could allow a remote attacker to bypass Flash Player security controls.
Description
1. Cross-site scripting XSS vulnerability
(
CVE-2008-4818
)
This Vulnerability is caused due to improper processing of HTTP response headers in Adobe Flash Player. A remote attacker can exploit this vulnerability by tricking an unsuspecting victim to follow a malicious URI . Successful exploitation of this vulnerability could allows a remote attacker to execution of an arbitrary scripting code to access the target user's cookies including authentication cookies and to access data recently submitted by the target user via web form to the site.
2. A DNS-rebinding attack Vulnerability
(
CVE-2008-4819
)
This Vulnerability is caused due to an unspecified flaw in processing of a flaw in Adobe Flash player. This issue can be exploited by remote attacker by creating a specially crafted Flash file and loaded by the target user. Successful exploitation could allow a remote attacker to conduct DNS rebinding attacks against a target system.
3. ActiveX control information disclosure vulnerability
(
CVE-2008-4820
)
This Vulnerability is caused due to an error in interpreting an unspecified ActionScript attribute in Adobe Flash player. This issue can be exploited by remote attacker by creating specially crafted HTML code loaded by the target user. Successful exploitation of this issue could allow a remote attacker to disclose sensitive information.
4.'jar:'URL processing vulnerability
(
CVE-2008-4821
)
This Vulnerability is caused due to an improper interpretation of jar: URLs on Mozilla browser in Adobe Flash player. The issue can be exploited by remote attacker by creating specially crafted URL which is loaded by the user. Successful exploitation of this vulnerability could allow remote attacker to disclose sensitive information from target users system.
5. Domain Policy security bypass vulnerability
(
CVE-2008-4822
)
This Vulnerability is caused due to an error when interpreting policy files in Adobe Flash player.
A remote attacker can exploit this vulnerability by creating a specially crafted Flash file which is loaded by the target user. Successful exploitation of this vulnerability could allow remote attacker to bypass non-root domain policy.
6. Input validation vulnerability
(
CVE-2008-4823
)
This Vulnerability is caused due to an input validation error in Adobe Flash player. A remote attacker can exploit this vulnerability by a specially crafted Flash ActionScript attribute, which is loaded by the target user. Successful exploitation of this vulnerability could allow remote attacker to execute an arbitrary HTML code.
7. Remote code execution vulnerability
(
CVE-2008-4824
)
Multiple unspecified vulnerabilities reported in Adobe Flash Player which could allow remote attackers to execute arbitrary code via unknown vectors related to input validation errors.
8. Adobe Flash FileReference API vulnerability
(
CVE-2008-4401
)
A vulnerability has been reported in Adobe Flash Player which could allow remote attacker to execute arbitrary code on targeted system. This vulnerability could be exploited by specially crafted flash file when loaded by the targeted user, will invoke the FileReference.browse or FileReference.download operations in the FileReference Upload and Download API respectively. This could allow remote attacker to crate a browse dialog box and to execute arbitrary code within the context of logged-in user on the target system.
9. Information disclosure/Denial of Service/code execution vulnerability
(
CVE-2008-5361
)
This is a vulnerability in Adobe Flash player which could lead to Denial of Service, information disclosure or code execution while parsing malicious SWF file. This vulnerability is caused when ActionRecord (ActionScript 2.0) types fails to verify the size of member elements (DefineConstantPool, ActionJump, ActionPush, ActionTry), as well as several other Action Record types.
10. Input acceptance vulnerability
(
CVE-2008-5362
)
There is vulnerability in DefineConstantPool action in Adobe Flash Player which accepts an untrusted input values for a ¿constant count¿, which could allow remote attackers to read sensitive information from process memory by convincing target user to open specially crafted PDF file.
11. Improper character element validation vulnerability
(
CVE-2008-5363
)
There is vulnerability in Adobe Flash Player; it does not validate character elements during retrieval from the dictionary data structure, which could allow remote attackers to cause Denial of Service (DoS) attack i.e. NULL pointer dereference and application crash by convincing target user to open specially crafted PDF file.
12. AS3 socket handling vulnerability
(
CVE-2007-4324
)
The design flaw exists in ActionScript 3 socket handling module. Due to this flaw compiled Flash movies are able to scan for open TCP ports on any reachable host from the host running the SWF file on vulnerable Flash Player, bypassing the Flash Player Security Sandbox model and without the need of rebind DNS. AS3 introduced a new socket-related event called SecurityErrorEvent which is thrown immediately when Flash Player tried to connect a closed TCP port. If service is listening on that port the Flash Player writes a string ¿¿ and waits for request from service. No TCP -service will respond to this request and it doesn't get a SecurityErrorEvent within 2 seconds the port most likely remains open.
13. Cross Domain and Cross-Site scripting vulnerability
(
CVE-2007-6243
)
There is vulnerability in Adobe Flash Player which is caused due to insufficiently restrict the interpretation and usage of cross-domain policy files. Successful exploitation of this vulnerability could allow remote attacker to conduct cross-domain and cross-site scripting attacks.
14. Remote Security Vulnerability
(
CVE-2008-5499
)
A vulnerability has been reported in Adobe Flash Player which could allow remote attacker to execute arbitrary code on target system with the privileges of currently logged-in user. Remote attackers could exploit this vulnerability by convincing target user to open specially crafted SWF file.
Solution
Upgrade Adobe Flash Player 10.0.12.36, 9.0.151.0 and earlier to Adobe Flash Player 10.0.15.3 or newest from
Adobe Flash Player download center.
Workaround
- Disable ActionScript Socket Functionality
- Add the following line to mms.cfg: DisableSockets=1
- Remove the SecurityErrorEvent
- Make SecurityErrorEvent to behave same for opened and closed ports
- Disable Flash or allow Flash from trusted sites
Vendor Information
Adobe
http://www.adobe.com/support/security/bulletins/apsb08-24.html
http://www.adobe.com/support/security/bulletins/apsb08-20.html
http://www.adobe.com/support/security/bulletins/apsb08-22.html
http://www.adobe.com/support/security/bulletins/apsb08-18.html
References
Secunia
http://secunia.com/advisories/32270/
SecurityFocus
http://www.securityfocus.com/bid/32129/info
http://www.securityfocus.com/bid/25260/info
http://www.securityfocus.com/archive/1/archive/1/475961/100/0/threaded
Red Hat
https://rhn.redhat.com/errata/RHSA-2008-1047.html
Juniper Networks
http://www.juniper.net/security/auto/vulnerabilities/vuln32129.html
SecurityTracker
http://securitytracker.com/alerts/2008/Nov/1021149.html
http://securitytracker.com/alerts/2008/Nov/1021150.html
http://securitytracker.com/alerts/2008/Nov/1021148.html
http://securitytracker.com/alerts/2008/Nov/1021147.html
http://securitytracker.com/alerts/2008/Nov/1021061.html
http://securitytracker.com/alerts/2008/Dec/1021458.html
SecuriTeam
http://www.securiteam.com/cves/2007/CVE-2007-4324.html
Security Database
http://www.security-database.com/detail.php?alert=CVE-2008-4818
iSEC Partners
http://www.isecpartners.com/advisories/2008-01-flash.txt
CVE Name
CVE-2008-4818
CVE-2008-4819
CVE-2008-4820
CVE-2008-4821
CVE-2008-4822
CVE-2008-4823
CVE-2008-4824
CVE-2008-4401
CVE-2008-5361
CVE-2008-5362
CVE-2008-5363
CVE-2007-4324
CVE-2007-6243
CVE-2008-5499
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|