Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

Critical Vulnerability Fixed in Adobe Flash Player

Get this blog as an RSS Feed
Recently, Adobe released a patch, which fixes multiple vulnerabilities for Adobe Flash Player. It turns out that at least one of them is quite nasty and does indeed allow remote code execution in a very reliable manner.
16:19 CET on the 10th March 2009
Entry written by Carsten Eiram.

Recently, Adobe released a patch, which fixes multiple vulnerabilities for Adobe Flash Player.

Since Adobe Flash Player is used in enterprise environments and some of the reported vulnerabilities may allow code execution, my Binary Analysis team has spent some time analysing the patch in order to properly understand the fixed vulnerabilities.

In the advisory from Adobe, two vulnerabilities are listed as potential code execution vulnerabilities. For the first vulnerability (CVE-2009-0520), it is stated that a buffer overflow "could potentially allow an attacker to execute arbitrary code". For the second vulnerability (CVE-2009-0519), it is stated that an input validation error "leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible".

It turns out that at least one of them is quite nasty and does indeed allow remote code execution in a very reliable manner.

Due to the limited publicly available information, we cannot be certain whether the vulnerability analysed is CVE-2009-0520, CVE-2009-0519, or even a third, silently fixed vulnerability.

However, we are certain that the vulnerability is related to how callback functions are handled and may result in data in arbitrary memory being treated as an object. Secunia has furthermore developed a reliable, fully-working exploit (available to customers on the Secunia Binary Analysis service) that allows execution of arbitrary code as soon as a user views a malicious web page.

That a vulnerability, which is so reliable and simple to exploit, exists in Adobe Flash Player is especially disturbing when looking at how many users are not running the latest version.

In our 2008 Report, we conclude that Adobe Flash Player is one of the applications that users often neglect to keep fully updated. According to results from our Secunia Software Inspector solutions, almost half of the installations (48 percent) running Adobe Flash Player 9.x were not running the latest version.

It is quite plausible that we may start seeing attacks exploiting this vulnerability in the near future. We therefore strongly recommend users to ensure that they have updated to the latest version of Adobe Flash Player. If you are a home-user and unsure if your system is properly patched, then our PSI solution can help you answer this question (companies can obtain our commercial version by contacting our sales department).

Similarly, security vendors and large enterprises creating their own custom IDS/IPS signatures can obtain detailed information about the vulnerability via our Binary Analysis service to ensure that their security products are able to detect exploit attempts.

Stay Secure,

Carsten Eiram
Chief Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Critical Vulnerability Fixed in Adobe Flash Player
 
No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability