Vulnerabilities Discovered in Adobe Flash Player Plugin
These vulnerabilities could be used in concert with cross-site request forgery (CSRF) vulnerabilities to steal cookies or other private information
Two vulnerabilities found in Adobe Flash Player provide opportunity to attackers to send arbitrary HTTP requests from an unsuspecting user's browser, reports Rapid7 LLC in a security advisory published today (see http://www.rapid7.com/advisories/R7-0026.jsp). Adobe Flash Player version 9.0.16 for Windows and version 7.0.63 for Linux, as well as earlier versions, are affected.
The exploits can be carried out through the vulnerabilities when Flash is used with the following browser/operating system combinations:
- Internet Explorer (IE) 6 Service Pack 2 (IE 6, Security Version 1) for Windows (with Flash 9.0.16)
- Firefox 1.5.0.6 for Windows (with Flash 9.0.16)
- Firefox 1.5.0.6 for Linux (with Flash 7.0.63)
The two vulnerabilities reported are as follows:
XML.addRequestHeader() Vulnerability
The addRequestHeader() method insufficiently secures itself, providing a way around a security restriction that does not permit developers to use addRequestHeader() to set headers such as Host, Referer or Content-Length. As a result, it is possible to inject arbitrary headers with HTTP requests. The Rapid7 security paper points out that this vulnerability is similar to other, previously-reported vulnerabilities in Adobe Flash 7 and 8.
XML.contentType Vulnerability
The XML.contentType attribute contains the same vulnerability found in the addRequestHeader() and it can be exploited in the same way because Adobe Flash does not check the validity of the attributes value before building the HTTP request.
According to Rapid7, Adobe was notified of the vulnerabilities but has not yet released a fix or upgrade to Adobe Flash Player. To protect from the risk of attack, Rapid7 offers four solutions in the interim:
- Upgrade to the beta version (Flash Player 9.0.18d60 for Windows), which is fixed;
- Only allow trusted Websites to use Flash;
- Use alternative Flash Plugins (GplFlash, Gnash);
- Uninstall Adobe Flash Player.
According to Adobe, there are 700 million Adobe Flash users worldwide.
The exploits can be carried out through the vulnerabilities when Flash is used with the following browser/operating system combinations:
- Internet Explorer (IE) 6 Service Pack 2 (IE 6, Security Version 1) for Windows (with Flash 9.0.16)
- Firefox 1.5.0.6 for Windows (with Flash 9.0.16)
- Firefox 1.5.0.6 for Linux (with Flash 7.0.63)
The two vulnerabilities reported are as follows:
XML.addRequestHeader() Vulnerability
The addRequestHeader() method insufficiently secures itself, providing a way around a security restriction that does not permit developers to use addRequestHeader() to set headers such as Host, Referer or Content-Length. As a result, it is possible to inject arbitrary headers with HTTP requests. The Rapid7 security paper points out that this vulnerability is similar to other, previously-reported vulnerabilities in Adobe Flash 7 and 8.
XML.contentType Vulnerability
The XML.contentType attribute contains the same vulnerability found in the addRequestHeader() and it can be exploited in the same way because Adobe Flash does not check the validity of the attributes value before building the HTTP request.
According to Rapid7, Adobe was notified of the vulnerabilities but has not yet released a fix or upgrade to Adobe Flash Player. To protect from the risk of attack, Rapid7 offers four solutions in the interim:
- Upgrade to the beta version (Flash Player 9.0.18d60 for Windows), which is fixed;
- Only allow trusted Websites to use Flash;
- Use alternative Flash Plugins (GplFlash, Gnash);
- Uninstall Adobe Flash Player.
According to Adobe, there are 700 million Adobe Flash users worldwide.
