MS-ISAC ADVISORY NUMBER:
2009-010

DATE(S) ISSUED:
2/25/2009

SUBJECT:
Multiple Vulnerabilities Discovered in Adobe Flash Player

OVERVIEW:

Multiple security vulnerabilities have been identified in Adobe Flash Player. Adobe Flash Player is a widely distributed multimedia and application player for Microsoft Windows, Mozilla, and Apple systems. It is used to enhance the user experience when visiting web pages or reading email messages. These vulnerabilities can be exploited if a user visits a malicious website or opens an email containing Flash media designed to exploit these vulnerabilities. Successful exploitation of one of these vulnerabilities may result in an attacker gaining the same privileges as the logged on user. If the user is logged in with administrator privileges, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:

  • Adobe Flash CS4 Professional
  • Adobe Flash Player 10.0.12.36 and earlier (Adobe Flash Player 10.0.15.3 and earlier for Linux)
  • Adobe Flex 3.0

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Four new security vulnerabilities have been identified in Adobe Flash Player. These vulnerabilities can be exploited if a user visits a malicious website or opens an email containing a Flash media file designed to trigger these issues.

Details of these vulnerabilities are:

  • A remote code-execution vulnerability which occurs when a user loads a malicious Shockwave Flash file (.SWF) that fails to properly de-allocate memory when an object is destroyed. The reference to the improperly de-allocated memory can then be used by the attacker to gain arbitrary execution control by re-allocating the memory used by the destroyed object.
  • Two "Clickjacking" Security Bypass vulnerabilities that can be exploited to bypass security restrictions and disclose information. Clickjacking is a malicious technique that involves embedding code or a script into a web page that tricks a user into performing unintended actions. This occurs when a user mistakenly clicks on a concealed link or when the user clicks on a button that triggers the malicious action.
  • A remote Denial of Service (DoS) vulnerability occurs because Adobe Flash Player fails to validate user-supplied input.

Attackers can exploit these vulnerabilities to disclose information, control how web pages are rendered, cause DoS conditions, or execute arbitrary script code in the context of the logged on user. Additional attacks may also be possible. Successful exploitation of the first two vulnerabilities may result in an attacker gaining the same privileges as the logged on user. If the user is logged in with administrator privileges, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed attempts may result in DoS conditions.

Adobe has released updates for Adobe Flash Player which addresses all of the reported vulnerabilities.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Upgrade to the recommended software version based on Adobe's security advisory
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Do not open email attachments from unknown or un-trusted sources.

REFERENCES:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb09-01.html(New Window)
http://www.adobe.com/products/flash/(New Window)

Security Focus:
http://www.securityfocus.com/bid/33889(New Window)
http://www.securityfocus.com/bid/33890(New Window)
http://www.securityfocus.com/bid/33880(New Window)
http://www.securityfocus.com/archive/1/49A43D67.3080609@idefense.com(New Window)

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0519(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0520(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0521(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0522(New Window)

Secunia:
http://secunia.com/advisories/34012/(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.