dualpixel
05-08-2008, 12:57 PM
Good Day All,
I was wondering if I could get some feedback on the following vulnerabilities that I found listed on a government website with regards to Flash Player. Basically, I'm wondering if these are entirely true or if it is mis-interpreted, because of the limitations that Flash itself has to "writing" commands.
Here they are:
Purpose
The purpose of this advisory is to raise awareness of multiple vulnerabilities within Adobe Flash Player.
Assessment
Multiple vulnerabilities have been identified within Adobe Flash Player. Successful exploitation could allow a remote attacker to; execute arbitrary code with system level privileges, gain access to sensitive information, and/or take complete control of an affected system.
- A buffer overflow vulnerability has been discovered when processing of "Declare Function (V7)" tags. Successful exploitation could allow an attacker to potentially execute arbitrary code. A user must be successfully lured into visiting a specially crafted web site for this attack to succeed.
- A integer overflow vulnerability has been discovered when processing malformed SWF files. Successful exploitation could allow an attacker to potentially execute arbitrary code. A user must be successfully lured into visiting a specially crafted web site for this attack to succeed.
- A vulnerability has been identified that is caused by an unspecified error when handling specially crafted Flash files. Successful exploitation could allow an attacker to conduct a DNS rebinding attack on an affected system.
- A vulnerability has been identified that is caused by an error when interpreting cross-domain policy files. Successful exploitation could allow an attacker to conduct privilege escalation attacks against an affected web server hosting Flash content and/or cross-domain policy files.
- A vulnerability has been identified that is caused by an error when processing HTTP headers. Successful exploitation could allow an attacker to bypass cross-domain policy restrictions.
- A vulnerability has been identified that is caused by input validation errors in the API's. Successful exploitation could allow an attacker to potentially execute arbitrary scripting code on a affected system.
Affected Products:
Adobe Flash Player 9.0.115.0 and earlier
Adobe Flash Player 8.0.39.0 and earlier
Your thoughts..
I was wondering if I could get some feedback on the following vulnerabilities that I found listed on a government website with regards to Flash Player. Basically, I'm wondering if these are entirely true or if it is mis-interpreted, because of the limitations that Flash itself has to "writing" commands.
Here they are:
Purpose
The purpose of this advisory is to raise awareness of multiple vulnerabilities within Adobe Flash Player.
Assessment
Multiple vulnerabilities have been identified within Adobe Flash Player. Successful exploitation could allow a remote attacker to; execute arbitrary code with system level privileges, gain access to sensitive information, and/or take complete control of an affected system.
- A buffer overflow vulnerability has been discovered when processing of "Declare Function (V7)" tags. Successful exploitation could allow an attacker to potentially execute arbitrary code. A user must be successfully lured into visiting a specially crafted web site for this attack to succeed.
- A integer overflow vulnerability has been discovered when processing malformed SWF files. Successful exploitation could allow an attacker to potentially execute arbitrary code. A user must be successfully lured into visiting a specially crafted web site for this attack to succeed.
- A vulnerability has been identified that is caused by an unspecified error when handling specially crafted Flash files. Successful exploitation could allow an attacker to conduct a DNS rebinding attack on an affected system.
- A vulnerability has been identified that is caused by an error when interpreting cross-domain policy files. Successful exploitation could allow an attacker to conduct privilege escalation attacks against an affected web server hosting Flash content and/or cross-domain policy files.
- A vulnerability has been identified that is caused by an error when processing HTTP headers. Successful exploitation could allow an attacker to bypass cross-domain policy restrictions.
- A vulnerability has been identified that is caused by input validation errors in the API's. Successful exploitation could allow an attacker to potentially execute arbitrary scripting code on a affected system.
Affected Products:
Adobe Flash Player 9.0.115.0 and earlier
Adobe Flash Player 8.0.39.0 and earlier
Your thoughts..