__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Flash Player 7 Improper Memory Access Vulnerability [MPSB05-07] November 11, 2005 18:00 GMT Number Q-051 ______________________________________________________________________________ PROBLEM: A vulnerability in Macromedia Flash Player 7 has been identified that could allow the execution of arbitrary code. PLATFORM: Flash Player 7.0.19.0 and earlier DAMAGE: An attacker could execute arbitrary code. SOLUTION: Apply current patches. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker could execute arbitrary code. ASSESSMENT: ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-051.shtml ORIGINAL BULLETIN: http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html ADDITIONAL LINKS: http://rhn.redhat.com/errata/RHSA-2005-835.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2005-2628 ______________________________________________________________________________ [***** Start MPSB05-07 *****] Security Bulletin MPSB05-07 Flash Player 7 Improper Memory Access Vulnerability Summary A vulnerability in Macromedia Flash Player 7 has been identified that could allow the execution of arbitrary code. Solution The current version of Macromedia Flash Player (8.0.22.0) contains a fix for the vulnerability. Users who have already upgraded to Flash Player 8 are not affected by this issue. Macromedia recommends all Flash Player 7 and earlier users upgrade to this new version, which can be downloaded from the Macromedia Player Download Center. Updated versions of Flash Player 7 for Linux and Solaris, which contain a fix for the vulnerability, are also available from the Macromedia Player Download Center. For customers with operating systems that do not support Flash Player 8 (Microsoft Windows 95, Microsoft Windows NT, or classic Macintosh operating systems), please refer to the Flash Player 7 update TechNote. Affected Software Versions Flash Player 7.0.19.0 and earlier Severity Rating Macromedia categorizes this as a critical update and recommends affected users update to Flash Player 8. Details Flash Player 8 (8.0.22.0) and Flash Player 7 update (7.0.61.0 or 7.0.60.0) address a security vulnerability in previous versions of Flash Player, which could lead to the potential execution of arbitrary code. There was a problem with bounds validation for indexes of certain arrays in Flash Player 7 and earlier, thus leaving open the possibility that a third party could inject unauthorized code that would have been executed by Flash Player. Acknowledgements Macromedia would like to thank eEye Digital Security and Sec Consult for reporting these vulnerabilities and for working with us to help protect our customers' security. Revisions November 10, 2005 — Bulletin amended. November 2, 2005 — Bulletin first created. Reporting Security Issues Macromedia is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with a Macromedia product, please send an email to secure@macromedia.com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Macromedia becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Macromedia customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Macromedia, please visit: http://www.macromedia.com/resources/security. ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES PROVIDED BY MACROMEDIA IN THIS BULLETIN ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE. Macromedia reserves the right, from time to time, to update the information in this document with current information. [***** End MPSB05-07 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Macromedia for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-041: libungif Security Update Q-042: F-Secure AV for MS Exchange and Internet Gatekeeper Vulnerability Q-043: chmlib Q-044: openvpn Q-045: clamav Q-046: Vulnerabilities in Graphics Rendering Engine Q-047: VERITAS Cluster Server for UNIX Q-048: VERITAS NetBackup 5.x Q-049: HP-UX envd Local Execution of Privileged Code Q-050: awstats