Several flaws facilitating remote code execution, clickjacking attacks and privilege escalation have been addressed

Feb 25, 2009 09:50 GMT  ·  By

Adobe has just released the 10.0.22.87 version of its Flash Player application. It includes fixes for serious vulnerabilities and is classified as critical. Users are urged to deploy the update, as attacks might follow.

One of the most serious flaws addressed in the new version has been reported by security and vulnerability research company iDefense Labs and allows an attacker to execute arbitrary code on the system under the credentials of the active user.

This vulnerability, identified as CVE-2009-0520, is particularly dangerous, because it affects Flash Player on all platforms, including Mac OS and Linux, and can be easily exploitable with little user interaction. All that an attacker has to do is trick a user into loading a maliciously-crafted Shockwave Flash into the browser. This can be achieved by either employing a social engineering technique, or by inserting the SWF object into a legit website, through XSS, SQL injection, or malvertisements.

"During the processing of a Shockwave Flash file, a particular object can be created, along with multiple references that point to the object. The object can be destroyed and its associated references removed. However, a reference can incorrectly remain pointing to the object. The invalid object resides in uninitialized memory, which the attacker may control to gain arbitrary execution control," is explained in an advisory released by iDefense.

Another arbitrary code execution and denial of service flaw has been discovered by Roee Hay from IBM Rational Application Security. It is identified as CVE-2009-0519 and consists of an input validation issue. "Arbitrary code execution has not been demonstrated, but may be possible," is noted in the Adobe advisory.

A clickjacking issue, reported by Liu Die Yu of TopsecTianRongXin and identified as CVE-2009-0114, which involves the Flash Player settings manager page, has also been addressed. The settings manager consists of a control panel that is accessed through a special web page hosted on Adobe's website and has also made the subject of older clickjacking attacks disclosed by Jeremiah Grossman of WhiteHat Security and Robert Hansen of SecTheory.

Eduardo Vela, another clickjacking expert, has also reported a mouse pointer issue affecting the Flash Player for Windows, which can be employed to launch UI redressing attacks. The problem, known as CVE-2009-0522, has been fixed in this newly-released version.

The final flaw patched by Adobe only affects Flash Player on Linux systems. It consists of an information leak problem that can facilitate privilege escalation and is identified as CVE-2009-0521. Adobe credits Josh Bressers of Red Hat and Tavis Ormandy of the Google Security Team with its discovery.

Considering the cyber-criminals' appetite for vulnerabilities in the Adobe products due to their large user base, it is likely that once proof of concept exploits for these flaws will make it into the public domain, they will be incorporated in Web attack kits. Meanwhile, a critical remote code execution bug in Adobe Reader and Acrobat is being actively exploited in the wild and a patch for it will not be deployed until March 11th.