Holes in Adobe's Flash Player a threat to system security [Update]
Adobe has published an update for Flash Player that eliminates many browser-independent security holes. Adobe classifies several of these as critical, because an attacker can infect a PC by placing specially crafted SWF files on Web sites. For this to work, it's sufficient for a page containing Flash content to be opened. The Flash Player is already included as a standard ActiveX Control in Internet Explorer under Windows. In these days of YouTube and other multimedia offerings, users of alternative browsers may also have installed a suitable plug-in from Adobe and so be just as vulnerable.
The versions affected are Adobe Flash Player 184.108.40.206 and earlier, 220.127.116.11 and earlier, and 18.104.22.168 and earlier under Windows, Mac OS X and Linux. Adobe advises all users to download and install the new Flash Version 22.214.171.124 as quickly as possible from the Adobe Flash Player Download Center.
Users who have activated automatic updates should already have been offered a new version. A patched Version 7 can be downloaded by those users who, for their own reasons, want or need to go on using Version 7. Not until later will Solaris users be offered update 126.96.36.199 with the faults removed. Until then, Adobe advises installing the beta version from Adobe Labs.
The security holes result from various bugs including heap overflows that occur during the parsing of SWF files. Through them, code can be smuggled in and executed with the rights of the user. According to Tipping Point, this can happen while manipulated JPG images embedded in SWF files are being processed. There are moreover vulnerabilities that allow the domain policy of the Player to be circumvented and cross-site scripting attacks carried out.
HTTP headers can also be manipulated: something that can be exploited in HTTP request-splitting attacks. And ActionScript can be used to find out what ports on a PC are open. According to a security advisory, this can be misused for port scanning by remote computers.
So far there have been no reports of Web sites actively exploiting the holes in Flash. Fortunately YouTube, for example, only permits files to be uploaded in the WMV, AVI, MOV and MPG formats and encodes these into the Flash format itself, so there should be no malicicously crafted movies there. MySpace, too, creates a new Flash movie from an uploaded one. Things may be different on other pages, however. Users should consider installing a Flash blocker in addition, for example FlashBlock for Firefox. This prevents a Flash film being loaded and played until it has been approved by the user.
The port scanning vulnerability in Flash Player has been known since last August. At this year's CCCamp, the hacker "fukami" who found the hole demonstrated how ActionScript detects the open ports on a system. The web page Design flaw in AS3 socket handling allows port probing gives demo and a more detailed description of the problem. On this page, you can also test whether Adobe's update and the suggested workaround actually function.
- Flash Player update available to address security vulnerabilities, security advisory from Adobe
- Adobe Flash Player JPG Processing Heap Overflow Vulnerability, security advisory from Tipping Point