Adobe Flash Player Cross-Site Scripting Vulnerability (CVE-2007-6244)

[admin]

From CERT ( http://www.kb.cert.org/vuls/id/758769 ) info on another Flash vulnerability. This is cross-platform folks so it applies to Linux, Windows, whatever. It only applies to versions 8 and 9 of the Flashplayer and you can visit Adobe to get an update or wait for your distro to supply one. If this applies to you and you want to wait for your distro to supply an update (probably just a few days) you should disable Flash. In Firefox, the only way I know of doing this is by using the NoScript extension.

Vulnerability Note VU#758769
Adobe Flash Player Cross-Site Scripting Vulnerability
Overview
The Adobe Flash player contains a cross-site scripting vulnerability. An attacker may be able to use this vulnerability to conduct cross-site scripting attacks on websites that host Flash files.
I. Description
The Adobe Flash Player is a player for the Flash media format and enables frame-based animations and multimedia to be viewed within a web browser. ActionScript is a scripting language that is used to develop software and multimedia files that are processed by the Adobe Flash Player. The asfunction protocol is a proprietary protocol that causes HTTP hyperlinks to launch a ActionScript functions.

Per Adobe Security Bulletin APSB07-20:

      This update restricts the unsupported asfunction: protocol to address potential cross-site scripting issues with some SWF files. This issue is specific to Flash Player 8 and Flash Player 9 and does not affect Flash Player 7.


Note that vulnerable versions of the Flash Player may be provided with various operating systems.
II. Impact
A remote unauthenticated attacker may be able to launch cross-site scripting attacks against the site hosting the Flash files or content.
III. Solution
Update

Adobe has released an update to address this issue. See Adobe Security Bulletin APSB07-20 for more information about obtaining fixed software.

Restrict access

Using the NoScript Firefox extension to whitelist web sites that can run Flash will mitigate this vulnerability. See the NoScript FAQ for more information.
Systems Affected
Vendor   Status   Date Updated
Adobe   Vulnerable   19-Dec-2007
References


http://www.adobe.com/support/security/bulletins/apsb07-20.html
http://www.adobe.com/support/flash/action_scripts/actionscript_dictionary/actionscript_dictionary073.html
http://www.adobe.com/products/flashplayer/
http://www.adobe.com/devnet/actionscript/
http://noscript.net/
http://noscript.net/features#contentblocking
http://www.adobe.com/licensing/developer/fileformat/faq/
Credit

Adobe credits Rich Cannings of the Google Security Team for reporting this issue.

This document was written by Ryan Giobbi.
Other Information
Date Public   12/19/2007
Date First Published   12/19/2007 04:16:48 PM
Date Last Updated   12/20/2007
CERT Advisory   
CVE Name   CVE-2007-6244
Metric   14.58
Document Revision   19

If you have feedback, comments, or additional information about this vulnerability, please send us email.

[ssfc72]

The description of the vulnerability seems to indicate that the vulnerability would affect websites and therefore be limited to corrupting only the website, but maybe not affecting the home user and their computer?

What do you read from it, Jason?

[buster]

Some of the updates for Firefox are causing grief apparently. The effort to correct the vulnerability has resulted in some instability. Curious if this has affected anyone - the disappearing browser trick. Have not experienced it, have only read about it on the forums.

[admin]

The description of the vulnerability seems to indicate that the vulnerability would affect websites and therefore be limited to corrupting only the website, but maybe not affecting the home user and their computer?

What do you read from it, Jason?

It can definitely affect the home user although I can see how the description looks like it might not.. Basically, if a website has Flash code that uses the vulnerability, it can take over your machine (Windows) or escalate privileges (Linux or Mac). Adobe's security advisory is clearer. I probably should've used it instead. I also noticed the Adobe advisory says some versions of 7.x are affected as well. Here the first part of it (emphasis mine). I just left out all the detailed technical information regarding the fixes which you can read by visiting the Adobe link above.

Flash Player update available to address security vulnerabilities

Release date: December 18, 2007

Vulnerability identifier: APSB07-20

CVE number: CVE-2007-6242, CVE-2007- 4768, CVE-2007-5275, CVE-2007- 6243, CVE-2007- 6244, CVE-2007- 6245, CVE-2007-4324, CVE-2007- 6246, CVE-2007-5476

Platform: All platforms

Affected software versions: Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier.
Summary

Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform.
Affected software versions

Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier.

To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
Solution

Adobe recommends all users of Adobe Flash Player 9.0.48.0 and earlier versions upgrade to the newest version 9.0.115.0 (Win, Mac, Linux), by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

Adobe will be providing an update to Adobe Flash Player 9.0.47.0 for Solaris at a later date. Customers can download and install the Flash Player public beta, which addresses these vulnerabilities, from the Adobe Labs site in the meantime.

For customers who cannot upgrade to Adobe Flash Player 9, Adobe has developed a patched version of Flash Player 7. Please refer to the Flash Player update TechNote.
Severity rating

Adobe categorizes this as a critical update and recommends affected users upgrade to version 9.0.115.0 (Win, Mac, Linux).

Been trying out NoScript again for blocking Flash until Mandriva issues a fix but it's an ugly solution at beast. This might be better:

FlashBlock

Basically, it blocks all Flash and puts placeholders (little play buttons) that allow you to play Flash stuff you actually want to view. Used to use this. The actual intention of the extension was to block all those annoying Flash ads you see online so this would be just a side benefit