Severity: High
19 December, 2007
Summary
- These vulnerabilities affect: Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier, on Windows, OS X, Unix and Linux computers
- How an attacker exploits them: By enticing one of your users into playing a maliciously crafted Flash (.SWF) file
- Impact: Numerous flaws, various results. In the worst case, an attacker could execute code on the victim’s computer, and take control
- What to do: Deploy Flash Player 9.0.115.0 as soon as possible
Severity: High
19 December, 2007
Summary
- These vulnerabilities affect: Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier, on Windows, OS X, Unix and Linux computers
- How an attacker exploits them: By enticing one of your users into playing a maliciously crafted Flash (.SWF) file
- Impact: Numerous flaws, various results. In the worst case, an attacker could execute code on the victim’s computer, and take control
- What to do: Deploy Flash Player 9.0.115.0 as soon as possible
Exposure
Adobe Flash Player displays interactive, animated Web content called Flash, often formatted as a Shockwave (.SWF) file. Adobe’s Flash player ships by default with many Web browsers, including Internet Explorer (IE). It also runs on many operating systems.
In yesterday’s alert, Adobe warns of numerous security vulnerabilities in all versions of Flash Player from 9.0.48.0, back. Some of the vulnerabilities are critical. Adobe doesn’t describe the flaws in detail, simply calling them “input validation flaws.” Input validation is a fancy term for a simple concept: Any script or program that accepts input (whether directly from users, or from another program) should check that the input makes sense and is of the type expected. Examples of typical input validation flaws include failure to cut off the input after receiving the expected number of characters, or failure to reject meta-characters that have a special meaning to the program accepting the input.
To exploit Flash Player’s flaws, an attacker would create a malicious Shockwave Flash (.SWF) file and entice one of your users into executing it. The file could be hosted on a Web site, or sent via an HTML e-mail, or delivered in other ways via applications that embed Flash. If your user plays the file, Flash’s lack of input validation enables the attacker to pull off a wide range of technical tricks, resulting in possible cross-site scripting, elevation of privileges, HTTP Request splitting, DNS rebinding, and too many other attacks to detail. (See the References section below for papers describing how some of the possible attacks work). Since most Windows administrators grant their users local administrative privileges, an attacker could exploit some of these flaws to gain complete control of a victim’s computer.
Solution Path
Adobe has released new versions of Flash Player to correct these vulnerabilities. We recommend you download and deploy Adobe’s latest Flash Player throughout your network as soon as possible, regardless of the operating system you run it on. Adobe’s web page automatically senses which platform you are using, and proposes a download of the appropriate Flash version.
Note: If you open the download link using Internet Explorer, you’ll see a page that, by default, will send you both the Flash update and Yahoo! Toolbar. We recommend you disable the option of receiving Yahoo! Toolbar, which is not needed for fixing the Flash vulnerability.
Adobe’s Flash Player also ships with other Adobe (and formerly, Macromedia) products. For a complete list of the affected products, and links to get the latest update for each product, see the Details section of their alert.
For All WatchGuard Users:
Some of WatchGuard’s Firebox models allow you to prevent your users from accessing Shockwave Flash files (.SWF) via the web (HTTP) or emails (SMTP, POP3). If you like, you can temporarily mitigate the risk of this vulnerability by blocking .SWF files using your Firebox’s proxy services (instructions below). However, many web sites rely on Flash for interactive content. Blocking Flash prevents these sites from working properly. Note that many popular video streaming sites, such as YouTube and JibJab, deliver video using a Flash front end, so this technique will render many video web sites unusable. To best protect your network from this flaw, you should deploy Adobe’s updated Flash Player.
For Firebox X Edge Users Running Version 8.5:
If you would like to block HTTP requests for Shockwave Flash files, you can learn how in the 12-minute Video Tutorial titled “Outgoing Proxies.” (You’ll find it with the other Firebox X Edge videos located at the bottom of the tutorials page.) With the HTTP proxy setting “Allow only safe content types” enabled, highlight the MIME type “application/x-shockwave-flash,” and click the Remove button.
To prevent attackers from sending a malicious SWF file as an attachment to email, in the POP3 proxy settings, go to Deny Unsafe Filename Patterns and use the Add button to enter *.SWF. These techniques will block all Flash files from arriving via web or email. (Firebox SOHO and earlier Edge devices do not have proxies, and thus this step does not apply to them. Those users should install Adobe’s Flash Player update.)
For Firebox III, X Core, and X Peak Users:
If the practice fits your business environment, you can use the HTTP and SMTP proxies to block .SWF files (note that this method blocks both malicious and legitimate files). Follow the links below for instructions for your specific WatchGuard device.
- Firebox III and X Core running WFS
- Firebox X Core and X Peak running Fireware Pro
Status
Adobe released Flash Player version 9.0.115.0, which corrects these issues.
References
- Adobe’s Flash Player Alert
- Written by Adobe for developers: “Security Changes in Flash Player 9”
- Rapid7 security advisory on “HTTP Header Injection Vulnerabilities in Flash Player”