CERT-In Vulnerability Note CIVN-2006-39
Remote Code Execution Vulnerabilities in Macromedia Flash Player running on Microsoft Windows

Original Issue Date: May 10, 2006

Severity Rating: High

Systems Affected

• Microsoft Windows XP Service Pack 1 & 2
• Microsoft Windows 98
• Microsoft Windows 98 Second Edition (SE)
• Microsoft Windows Millennium Edition (ME)

Overview

Two vulnerabilities have been reported in the way Macromedia Flash Player handles crafted flash SWF file, which could be exploited by remote attackers to execute arbitrary code on the affected system.

Vulnerable versions of Macromedia Flash Player from Adobe are included with Windows XP and Internet Explorer 6 Service Pack 1 when installed on Windows ME, Windows 98, and Windows 98 Second Edition.

Description

1.Macromedia Flash Player SWF array boundary code execution vulnerability ( CVE-2005-2628 )

A vulnerability has been reported in Macromedia Flash Player in the way it handles crafted SWF file. The vulnerability exists due to array boundary condition error in flash.ocx file. A malformed frame type identifier could be used as an out of bound array index which lead to the execution of arbitrary code by the attacker.

2 . Macromedia Flash Player Code Execution Vulnerability ( CVE-2006-0024 )

A vulnerability has been reported in Macromedia Flash Player in the way it handles crafted SWF file as described in CERT-In Vulnerability Note CIVN-2006-25 . A remote attacker could exploit the vulnerability by hosting a malicious web page containing specially crafted SWF file and entice the user to open the file. A successful exploitation of this vulnerability could allow attacker to take complete control of the system.

Workaround

• Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer for Windows XP Service Pack 2.
• Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer.
• Temporarily prevent attempts to instantiate the Flash Player ActiveX control in Internet Explorer by setting the kill bit for the control.
• Modify the Access Control List on the Flash Player ActiveX control to temporarily prevent it from running in Internet Explorer.
• Un-register the Flash Player ActiveX Control.
• Restrict access to the Macromedia Flash folder by using a Software Restriction Policy.
• Change your Internet Explorer settings to prompt before running ActiveX controls or disable ActiveX controls in the Internet security zone and in the Local intranet security zone.

Solution:

Apply appropriate patches as mentioned in the Microsoft Security Bulletin MS06-020

Vendor information

Adobe
http://www.adobe.com/devnet/security/security_zone/apsb06-03.html

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-020.mspx

References

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-020.mspx http://support.microsoft.com/kb/913433

Adobe
http://www.adobe.com/devnet/security/security_zone/apsb06-03.html http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html

Full Disclosure Mailing list. http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0130.html

US-CERT
http://www.kb.cert.org/vuls/id/146284 http://www.kb.cert.org/vuls/id/945060

Secunia
http://secunia.com/advisories/20045/ http://secunia.com/advisories/19218/ http://secunia.com/advisories/17430/

Security Focus
http://www.securityfocus.com/bid/15332 http://www.securityfocus.com/bid/17106

FrSirt
http://www.frsirt.com/english/advisories/2005/2317 http://www.frsirt.com/english/advisories/2006/1744

CVE Name

CVE-2005-2628
CVE-2006-0024

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91 11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003