US-CERT Technical Cyber Security Alert TA08-149A -- Exploitation of Adobe Flash Vulnerability

National Cyber Alert System
Technical Cyber Security Alert TA08-149A

Exploitation of Adobe Flash Vulnerability

Original release date: May 28, 2008
Last revised: --
Source: US-CERT

Systems Affected

Adobe Flash Player

Overview

A vulnerability that affects Adobe Flash Player 9 is being actively exploited to install malicious software.

I. Description

A vulnerability in Flash Player 9 is being actively exploited. The latest version of Flash Player (9.0.124.0) appears to correct the vulnerability. Analysis indicates that this vulnerability is the same as or similar to the one described in Application Specific Attacks: Leveraging the ActionScript Virtual Machine by Mark Dowd. The vulnerability depends on ActionScript 3.0 which was introduced in Flash Player 9, so previous versions do not appear to be affected.

To exploit this vulnerability, an attacker could cause a victim to open specially crafted Flash content. Public incident reports (SANS ISC, Symantec ThreatCon) indicate that this and possibly other Flash vulnerabilities are being actively exploited. Attacks likely involve multiple web sites, specially crafted Flash content, and obfuscated JavaScript to cause a victim to browse to a site that uses the vulnerability to install malicious software. Attackers may compromise otherwise trusted web sites using SQL injection or cross-site scripting vulnerabilities to inject JavaScript that directs visitors to malicious Flash content.

The vulnerability (or vulnerabilities) being used in these attacks are described in US-CERT Vulnerability Notes VU#395473 and VU#159523. A post on the Adobe Product Security Incident Response Team (PSIRT) blog states that the exploit "...appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0 (CVE-2007-0071)."

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code. Various sources report that attackers are exploiting this vulnerability to install malicious software.

III. Solution

Upgrade

Upgrade to Flash Player 9.0.124.0 or later. The installation process for Flash Player differs based on web browser platform. Take care to upgrade Flash Player in all supported web browsers.

Microsoft Windows users should upgrade the Flash ActiveX control by visiting the Adobe Flash Player Download Center using Internet Explorer (IE). This is necessary even if IE is not the primary browser, since other programs may use IE to view Flash content. Alternately, download the stand-alone installer for the Flash Player ActiveX control.
Users with other web browsers and operating systems should visit the Adobe Flash Player Download Center using each browser that supports Flash. Alternately, download the stand-alone installer for the Flash Player Netscape-style plug-in.

To check the version of Flash Player, visit the Version test for Adobe Flash Player using each web browser that supports Flash.

Block Flash Content

To partially mitigate this and other Flash vulnerabilities, configure web browsers to block Flash content. Securing Your Web Browser provides instructions to disable Flash and more generally ActiveX, plug-ins, and script for untrusted web sites. The NoScript and Flashblock add-ons can block Flash content in Firefox and other Mozilla-based browsers.