Technical Description

Multiple vulnerabilities have been identified in Adobe Macromedia Flash Player, which could be exploited by attackers to bypass security restrictions or take complete control of an affected system.

The first flaw is due to input validation errors when handling overly long dynamically generated strings, which could be exploited by remote attackers to execute arbitrary commands via a malcious web page.

The second issue is due to an error within the "allowScriptAccess" option, which could be exploited by malicious web sites to bypass security restrictions and conduct cross domain scripting attacks.

The third vulnerability is due to an error in the way the ActiveX control is invoked by Office products, which could be exploited by attackers to execute arbitrary Flash code without user interaction when a malicious office document is opened.

Affected Products

Adobe Macromedia Flash Player versions prior to 9.0.16.0
Adobe Macromedia Flash Player versions prior to 8.0.33.0
Adobe Macromedia Flash Player versions prior to 7.0.68.0
Adobe Macromedia Flash Player versions prior to 7.0.66.0
Adobe Macromedia Flex versions prior to 7.0.65.0

Solution

Upgrade to fixed versions :
http://www.adobe.com/support/security/bulletins/apsb06-11.html

References

http://www.vupen.com/english/advisories/2006/3573
http://www.adobe.com/support/security/bulletins/apsb06-11.html

Credits

Vulnerabilities reported by Stuart Pearson, Dejun Meng and Debasis Mohanty.

ChangeLog

2006-09-12 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.