I know you guys will fix it, the problem is that people won't update until forced to. Perhaps you guys can do some advocacy with some of the larger Flash sites and get them to modify a bit of their html so that people get the newest version, or does that happen already even if they already have v6?
-- jon mailto:[EMAIL PROTECTED] Friday, August 9, 2002, 2:46:26 PM, you wrote: CL> Check out Mike Chambers blog for more information on this: http://radio.weblogs.com/0106797/2002/08/08.html#a239 CL> Christine CL> -----Original Message----- CL> From: jon hall [mailto:[EMAIL PROTECTED]] CL> Sent: Friday, August 09, 2002 1:17 PM CL> To: CF-Community CL> Subject: At least 18 security flaws discovered in Flash CL> From Bugtraq: CL> Macromedia Shockwave Flash Malformed Header Overflow CL> Release Date: August 8, 2002 CL> Severity: CL> High (Remote Code Execution) CL> Systems Affected: CL> Macromedia Shockwave Flash - All Versions; CL> Unix and Windows; Netscape and Internet Explorer CL> Description: CL> While working on some pre-release eEye Retina CHAM tools, an exploitable CL> condition was discovered within the Shockwave Flash file format called SWF CL> (pronounced "SWIF"). CL> Since this is a browser based bug, it makes it trivial to bypass firewalls CL> and attack the user at his desktop. Also, application browser bugs allow you CL> to target users based on the websites they visit, the newsgroups they read, CL> or the mailing lists they frequent. It is a "one button" push attack, and CL> using anonymous remailers or proxies for these attacks is possible. CL> This vulnerability has been proven to work with all versions of Macromedia CL> Flash on Windows and Unix, through IE and Netscape. It may be run wherever CL> Shockwave files may be displayed or attached, including: websites, email, CL> news postings, forums, Instant Messengers, and within applications utilizing CL> web-browsing functionality. CL> Technical Description: CL> The data header is roughly made out to: CL> [Flash signature][version (1)][File Length(A number of bytes too CL> short)][frame size (malformed)][Frame Rate (malformed)][Frame Count CL> (malformed)][Data] CL> By creating a malformed header we can supply more frame data than the CL> decoder is expecting. By supplying enough data we can overwrite a function CL> pointer address and redirect the flow of control to a specified location as CL> soon as this address is used. At the moment the overwritten address takes CL> control flow, an address pointing to a portion of our data is 8 bytes back CL> from the stack pointer. By using a relative jump we redirect flow into a CL> "call dword ptr [esp+N]", where N is the number of bytes from the stack CL> pointer. These "jump points" can be located in multiple loaded dll's. By CL> creating a simple tool using the debugging API and ReadMemory, you can CL> examine a process's virtual address space for useful data to help you with CL> your exploitation. CL> This is not to say other potentially vulnerable situations have not been CL> found in Macromedia's Flash. We discovered about seventeen others before we CL> ended our testing. We are working with Macromedia on these issues. CL> Protection: CL> Retina(R) Network Security Scanner already scans for this latest version of CL> Flash on users' systems. Ensure all users within your control upgrade their CL> systems. CL> Vendor Status: CL> Macromedia has released a patch for this vulnerability, available at: CL> http://www.macromedia.com/v1/handlers/index.cfm?ID=23293&Method=Full&Title=M CL> PSB02%2D09%20%2D%20Macromedia%20Flash%20Malformed%20Header%20Vulnerability%2 CL> 0Issue&Cache=False CL> Discovery: Drew Copley CL> Exploitation: Riley Hassell CL> Greetings: Hacktivismo!, Centra Spike CL> Copyright (c) 1998-2002 eEye Digital Security CL> Permission is hereby granted for the redistribution of this alert CL> electronically. It is not to be edited in any way without express consent of CL> eEye. If you wish to reprint the whole or any part of this alert in any CL> other medium excluding electronic medium, please e-mail [EMAIL PROTECTED] for CL> permission. CL> Disclaimer CL> The information within this paper may change without notice. Use of this CL> information constitutes acceptance for use in an AS IS condition. There are CL> NO warranties with regard to this information. In no event shall the author CL> be liable for any damages whatsoever arising out of or in connection with CL> the use or spread of this information. Any use of this information is at the CL> user's own risk. CL> Feedback CL> Please send suggestions, updates, and comments to: CL> eEye Digital Security CL> http://www.eEye.com CL> [EMAIL PROTECTED] ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
