Severity: Medium
11 July, 2007
Summary:
Yesterday, Adobe released an alert describing a critical security vulnerability in their popular Flash Player. By enticing one of your users into downloading and playing a maliciously crafted Flash (.SWF) file, an attacker could exploit this flaw to execute code on your user’s Windows, Linux, Unix, or OS X computer, potentially gaining complete control of the victim’s machine. Administrators should download and deploy Flash Player 9.0.47.0 or 8.0.35.0 throughout their network as soon as possible.
Exposure:
Adobe Flash Player displays interactive, animated Web content called Flash, often formatted as a Shockwave (.SWF) file. Adobe’s Flash player ships by default with many Web browsers, including Internet Explorer (IE). It also runs on many operating systems.
In yesterday’s alert, Adobe warns of a critical security vulnerability in Flash Player 9.0.45.0, and earlier versions. Adobe doesn’t describe this flaw in detail, simply calling it an “input validation flaw.” By enticing one of your users into downloading and playing a maliciously crafted .SWF file, an attacker can exploit this vulnerability to execute code on your user’s computer, with the same privileges and permissions your user has. In order to deliver his boobytrapped Flash file to your users, the attacker would probably host it on a Web site or send it via an HTML e-mail. Since most Windows administrators grant their users local administrative privileges, an attacker could probably exploit this flaw to gain complete control of a victim’s Windows computer. Adobe has patches for all operating systems, so we assume the impact of a successful exploit on Linux, Unix, and Apple OS X computers will allow code execution, but probably with lesser privileges.
Severity: Medium
11 July, 2007
Summary:
Yesterday, Adobe released an alert describing a critical security vulnerability in their popular Flash Player. By enticing one of your users into downloading and playing a maliciously crafted Flash (.SWF) file, an attacker could exploit this flaw to execute code on your user’s Windows, Linux, Unix, or OS X computer, potentially gaining complete control of the victim’s machine. Administrators should download and deploy Flash Player 9.0.47.0 or 8.0.35.0 throughout their network as soon as possible.
Exposure:
Adobe Flash Player displays interactive, animated Web content called Flash, often formatted as a Shockwave (.SWF) file. Adobe’s Flash player ships by default with many Web browsers, including Internet Explorer (IE). It also runs on many operating systems.
In yesterday’s alert, Adobe warns of a critical security vulnerability in Flash Player 9.0.45.0, and earlier versions. Adobe doesn’t describe this flaw in detail, simply calling it an “input validation flaw.” By enticing one of your users into downloading and playing a maliciously crafted .SWF file, an attacker can exploit this vulnerability to execute code on your user’s computer, with the same privileges and permissions your user has. In order to deliver his boobytrapped Flash file to your users, the attacker would probably host it on a Web site or send it via an HTML e-mail. Since most Windows administrators grant their users local administrative privileges, an attacker could probably exploit this flaw to gain complete control of a victim’s Windows computer. Adobe has patches for all operating systems, so we assume the impact of a successful exploit on Linux, Unix, and Apple OS X computers will allow code execution, but probably with lesser privileges.
Earlier versions of Flash contain an additional security flaw. According to Adobe, Flash Player 8.0.34.0 (and earlier) has “an issue with insufficient validation of the HTTP Referer.” The issue could allow an attacker to pull off a cross-site request forgery attack. In plainer English: if you are on Web Site A and click a link that leads to Web Site B, that launches an HTTP Request to the server that hosts Web Site B. The Request includes the URL for Web Site A, to show where the Request came from (thus, Web Site A is the HTTP Referer). Since Flash Player doesn’t properly verify that the specified Referer URL is real and true, an attacker could (at least in theory) send HTTP requests from her machine, forged to show your computer as the Referer. This technique could be used to fool a Web server into sending sensitive information about you to an attacker, because the request appears to come from an authorized source.
Solution Path:
Adobe has released new versions of Flash Player to correct these vulnerabilities. We recommend you download and deploy Adobe’s latest Flash player throughout your network as soon as possible, regardless of the operating system you run it on. Clicking the download link embedded in the previous sentence takes you to an Adobe web page that automatically senses which platform you are using and proposes a download of the appropriate Flash version. (In our tests, most Windows users were offered version 9.0.47.0. If you have not upgraded to Flash version 9, the download might send you version 8.0.35.0. According to Adobe, either version fixes the security flaws.)
Note: if you open the download link using Internet Explorer, you’ll see a page that, by default, will send you both the Flash update and Yahoo! Toolbar. We recommend you disable the option of receiving Yahoo! Toolbar, which is not needed for fixing the Flash vulnerability.
Adobes’s Flash Player also ships with other Adobe (and formerly, Macromedia) products. For a complete list of the affected products, and links to get the latest update for that product, see the Details section of their alert.
For All WatchGuard Users:
Some of WatchGuard’s Firebox models allow you to prevent your users from accessing Shockwave Flash files (.SWF) via the web or emails. If you like, you can temporarily mitigate the risk of this vulnerability by blocking .SWF files using your Firebox’s proxy services (instructions below). However, many web sites rely on Flash for interactive content. Blocking Flash prevents these sites from working properly. Note that many popular video streaming sites, such as YouTube and JibJab, deliver video using a Flash front end, so this technique will render many video web sites unusable. To best protect your network from this flaw, you should deploy Adobe’s updated Flash Player.
For Firebox X Edge Users Running Version 8.5:
If you would like to block HTTP requests for Shockwave Flash files, you can learn how by downloading and viewing the 12-minute Video Tutorial titled “Outgoing Proxies.” With the HTTP Proxy Setting “Allow only safe content types” enabled, highlight the MIME type, “application/x-shockwave-flash,” and click the Remove button.
To prevent attackers from sending a malicious SWF file as an attachment to email, in the POP3 Proxy Settings, go to Deny Unsafe Filename Patterns and use the Add button to enter *.SWF. These techniques will block all Flash files from arriving via web or email. (Firebox SOHO and earlier Edge devices do not have proxies, and thus this step does not apply to them. Those users should install Adobe’s Flash Player upgrade.)
For WatchGuard Firebox III, X Core, X Peak, and Vclass Users:
If the practice fits your business environment, you can use the HTTP and SMTP proxies to block all .SWF files (note that this method blocks both malicious and legitimate files). Follow the links below for instructions for your specific WatchGuard device.
- Firebox III and X Core running WFS
- Firebox X Core and X Peak running Fireware Pro
- Vclass
- SMTP Proxy. You’ll have to create or adjust a custom proxy action based on SMTP-Incoming in order to strip .SWF files. If you have created your own Proxy Action based on SMTP-Incoming, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Content Checking tab, change “Category” to Attachment Filename and click either the Add to Top or Insert After button (only one or the other will display). Next, type “SWF_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.SWF” and select Strip as the Action. Now you can apply this new Proxy Action to your SMTP rule to ensure Shockwave flash files (.SWF) are blocked.
- HTTP Proxy. You’ll have to create or adjust a custom proxy action based on HTTP-Outgoing in order to strip .SWF files. If you have created your own Proxy Action based on HTTP-Outgoing, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Request Headers tab, change “Category” to URL Paths and click on the Add button. Next, type “SWF_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.SWF” and select Strip as the Action. Now you can apply this new Proxy Action to your HTTP proxy policy to ensure Shockwave Flash files (.SWF) are blocked
Status:
Adobe released Flash Player version 9.0.47.0 and version 8.0.35.0 (and, depending upon your platform, other versions) to correct this issue.
References:
This alert was researched by Steve Fallin, Scott Pinzon, and Nathan Buff. Written by Scott Pinzon, CISSP.