Rapid7 Security Advisory on Adobe Flash Player Plugin Vulnerabiity

Vulnerabilities Discovered in Adobe Flash Player Plugin Allow Potential Attackers to Send Arbitrary HTTP Requests from Users' Browsers, Warns Vulnerability Management Company Rapid7

Rapid7 Reports Two Adobe Flash Vulnerabilities That Can Be Exploited with Specific Browser/Operating System Combinations and Potentially Used to Perform Cross-Site Request Forgery (CSRF) Attacks

Boston - October 17, 2006 - Two vulnerabilities found in Adobe Flash Player provide opportunity to attackers to send arbitrary HTTP requests from an unsuspecting user’s browser, reports Rapid7 LLC in a security advisory published today (see Rapid7 Advisory R7-0026: HTTP Header Injection Vulnerabilities in the Flash Player Plugin). These vulnerabilities could be used in concert with cross-site request forgery (CSRF) vulnerabilities to steal cookies or other private information. Adobe Flash Player version 9.0.16 for Windows and version 7.0.63 for Linux, as well as earlier versions, are affected.

The exploits can be carried out through the vulnerabilities when Flash is used with the following browser/operating system combinations:

Internet Explorer (IE) 6 Service Pack 2 (IE 6, Security Version 1) for Windows (with Flash 9.0.16)
Firefox 1.5.0.6 for Windows (with Flash 9.0.16)
Firefox 1.5.0.6 for Linux (with Flash 7.0.63)

The two vulnerabilities reported are as follows:

XML.addRequestHeader() Vulnerability

The addRequestHeader() method insufficiently secures itself, providing a way around a security restriction that does not permit developers to use addRequestHeader() to set headers such as Host, Referer or Content-Length. As a result, it is possible to inject arbitrary headers with HTTP requests. The Rapid7 security paper points out that this vulnerability is similar to other, previously-reported vulnerabilities in Adobe Flash 7 and 8.

XML.contentType Vulnerability

The XML.contentType attribute contains the same vulnerability found in the addRequestHeader() and it can be exploited in the same way because Adobe Flash does not check the validity of the attribute’s value before building the HTTP request.

According to Rapid7, Adobe was notified of the vulnerabilities but has not yet released a fix or upgrade to Adobe Flash Player. To protect from the risk of attack, Rapid7 offers four solutions in the interim:

Upgrade to the beta version (Flash Player 9.0.18d60 for Windows), which is fixed;
Only allow trusted Web sites to use Flash;
Use alternative Flash Plugins (GplFlash, Gnash); or
Uninstall Adobe Flash Player.

According to Adobe, there are 700 million Adobe Flash users worldwide (source: labs.adobe.com).

To protect its customers, Rapid7 has added data on these two vulnerabilities to security checks performed by NeXpose, its enterprise network vulnerability management solution.

About NeXpose

Rapid7 NeXpose is the broadest and deepest vulnerability management system on the market, providing comprehensive, high performance coverage of networks, databases, operating systems, and Web applications. Only NeXpose provides browser-based Web application vulnerability scanning of Web 2.0 applications and secures the complete Web application - from browser to server. NeXpose detects more vulnerabilities than traditional Web scanners by using Web Application Pass-Through Scanning, a unique capability for exploring how one vulnerability can lead to another.

NeXpose delivers extensive reports assessing risks and proposing streamlined remediation plans to optimize security and compliance with governmental regulations and corporate security policies. Rapid7 is an Approved Scanning Vendor (ASV) by the Payment Card Industry (PCI) Security Standards Council, certifying NeXpose to support retail operations in achieving PCI compliance.

About Rapid7

Rapid7 is a leader in vulnerability management and compliance, delivering a single unified solution across an organization’s entire infrastructure. Rapid7 NeXpose helps security professionals to reduce their attack surface by providing actionable insights into the real threats from vulnerabilities across their entire IT infrastructure. Rapid7 NeXpose is the only solution that provides in-depth coverage of vital Web and database systems in addition to networked devices, servers, and operating systems. The NeXpose A.I. and Reporting Engines synthesize large quantities of raw data to provide direct insight into the vulnerabilities that represent the most risk to the business. From this insight the product delivers a set of prioritized remediation recommendations that help security professionals get protection fast. Organizations, including Black & Decker, Trader Joe’s, Florida State University, the New York Times, and the City of Philadelphia, continually rely on Rapid7 products and services to mitigate risk and remain compliant.

PR CONTACT

Amanda Munroe
617-779-1816
Rapid7@shiftcomm.com

PDF Format