Vast security risk from Flash hole
Ubiquitous browser plug-in grants system access.
By Matthew Broersma | Techworld | Published: 12:58, 07 November 2005
Macromedia has warned of a critical bug in its Flash Player - one of the most widely used pieces of software on the desktop - that could allow attackers to take over a system.
eEye, the security research firm co-credited with discovering the bug, said it had demonstrated "reliable exploitation" using the bug in the Internet Explorer browser, but other browsers are also said to be just as open to attack. Macromedia also credited Sec Consult with the discovery.
The flaw affects all Windows versions of Flash Player 6.x and Flash Player 18.104.22.168 and earlier, but has already been addressed in Flash Player 8 (22.214.171.124), according to eEye. Macromedia recommended upgrading to Flash Player 8 but also released an update to Flash Player 7 fixing the bug. Flash Player 8 isn't supported by older operating systems such as Windows 95 and Windows NT.
The bug is due to missing validation of the frame type identifier read from a SWF file, which could be used to force the player to use attacker-supplied values as function pointers, according to eEye. Exploitation via a malicious SWF file could allow an attacker to execute malicious code with the same privileges as the user running Flash Player.
"There was a problem with bounds validation for indexes of certain arrays in Flash Player 7 and earlier, leaving open the possibility that a third party could inject unauthorised code that would have been executed by Flash Player," Macromedia said in its advisory.