16:19 CET, 10th March 2009 By Carsten Eiram.
Recently, Adobe released a patch, which fixes multiple vulnerabilities for Adobe Flash Player.
Since Adobe Flash Player is used in enterprise environments and some of the reported vulnerabilities may allow code execution, my Binary Analysis team has spent some time analysing the patch in order to properly understand the fixed vulnerabilities.
In the advisory from Adobe, two vulnerabilities are listed as potential code execution vulnerabilities. For the first vulnerability (CVE-2009-0520), it is stated that a buffer overflow "could potentially allow an attacker to execute arbitrary code". For the second vulnerability (CVE-2009-0519), it is stated that an input validation error "leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible".
It turns out that at least one of them is quite nasty and does indeed allow remote code execution in a very reliable manner.
Due to the limited publicly available information, we cannot be certain whether the vulnerability analysed is CVE-2009-0520, CVE-2009-0519, or even a third, silently fixed vulnerability.
However, we are certain that the vulnerability is related to how callback functions are handled and may result in data in arbitrary memory being treated as an object. Secunia has furthermore developed a reliable, fully-working exploit (available to customers on the Secunia Binary Analysis service) that allows execution of arbitrary code as soon as a user views a malicious web page.
That a vulnerability, which is so reliable and simple to exploit, exists in Adobe Flash Player is especially disturbing when looking at how many users are not running the latest version.
In our 2008 Report, we conclude that Adobe Flash Player is one of the applications that users often neglect to keep fully updated. According to results from our Secunia Software Inspector solutions, almost half of the installations (48 percent) running Adobe Flash Player 9.x were not running the latest version.
It is quite plausible that we may start seeing attacks exploiting this vulnerability in the near future. We therefore strongly recommend users to ensure that they have updated to the latest version of Adobe Flash Player. If you are a home-user and unsure if your system is properly patched, then our PSI solution can help you answer this question (companies can obtain our commercial version by contacting our sales department).
Similarly, security vendors and large enterprises creating their own custom IDS/IPS signatures can obtain detailed information about the vulnerability via our Binary Analysis service to ensure that their security products are able to detect exploit attempts.
Chief Security Specialist