The vulnerabilities were reported on Bugtraq (http://search.securityfocus.com/swsearch?query=macromedia&sbm=%2F&submit=Se arch%21&metaname=alldoc&sort=swishlastmodified) a couple weeks ago. The vulnerabilities involve an attacker creating a malicious .swf file and tricking a user into downloading it, similar to a web site tricking a user into downloading a virus.
If you're creating a Flash application/animation for a customer, though, it's obviously not malicious, and thus the application itself is not susceptible to the "attack". The problem will be political, though, convincing your DoD customer your application isn't vulnerable. Of course, the reason to ban Flash player is less about interfacing with your benign application, and more about worrying that a user will inadvertently connect to another site that *does* have a malicious .swf file. The bug is in the Flash player, and can lead to compromise of the client's system. -Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Merrill, Jason Sent: Friday, December 02, 2005 1:51 PM To: Flashcoders mailing list Subject: [Flashcoders] Flash security advisories from U.S. Navy/Marines? Anyone know anything about this? See the report below. This would effectively bring our Flash work with the U.S. Navy and Marine Corp to a screeching halt. The NMCI gold disk is the standard install of software for all computers in the Navy and Marines. Flash 7 was previously approved - now it looks like they could begin removing it from machines. It would be a long while before they approve Flash 8. And we were just about to propose a Flex option for them too. :-( Anyone know anything about this security issue? ________________________________ From: ***** Sent: Friday, December 02, 2005 1:28 PM To: ******** Subject: FW: Flash security advisories FYI... The NMCI just blocked access to ALL swf files from their web servers (.mil domains) yesterday. We'll have to see how this plays out. ****** ________________________________ -----Original Message----- From: ************* Sent: Thursday, December 01, 2005 4:50 PM Read below. Security vulnerabilities have been discovered in Flash. I received notice from Camp Pendleton that NMCI has once again blocked Flash mobile code from .mil networks. I confirmed with MCNOSC and asked for the info below. If we haven't already received any calls from anyone on .mil expressing issue viewing Flash activity on our site, we will soon. Apparently Macromedia recommends going to Flash Player version 8. We will meet tomorrow morning at 0930 in the CR to discuss the problem and alternative solutions. The policy will need to be reinstated by MCEN DAA to open the door again for Flash. Thanks, **** -----Original Message----- From: ******* Sent: Thursday, December 01, 2005 1:46 PM To: ***** Subject: Flash security advisories http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html IAVA extract: Joint Task Force - Global Network Operations (JTF-GNO) Information Assurance Vulnerability Alert 2005-A-0040 TOPIC: Multiple Vulnerabilities in Macromedia Flash REFERENCE: Macromedia http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html Security Focus http://www.securityfocus.com/bid/15332/info <http://www.securityfocus.com/bid/15322/info> http://www.securityfocus.com/advisories/9646 2 http://www.securityfocus.com/advisories/9728 CVE NUMBER(s): CAN-2005-2628 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2628> Macromedia Flash ActionDefineFunction Memory Access Vulnerability STIG FINDING: 1CAT I THREAT ASSESSMENT: High TIMELINE SUMMARY Release Date Acknowledgement Suspense Compliance Suspense 10 November 05 12 November 05 25 November 05 REVISION HISTORY Number Date Details 1 15 Nov -05 Posted STIG FINDING <ftp://www.cert.mil/pub/bulletins/dodcert2005/2005-a-0040.htm#1#1> Category. 2 21 Nov 05 Added systems to Vulnerable Systems <ftp://www.cert.mil/pub/bulletins/dodcert2005/2005-a-0040.htm#Vul Sys#Vul Sys> area Added link to Reference <ftp://www.cert.mil/pub/bulletins/dodcert2005/2005-a-0040.htm#SUSE Advisory#SUSE Advisory> area 3 29 Nov 05 Added patch link to DoD Patch Repository <ftp://www.cert.mil/pub/bulletins/dodcert2005/2005-a-0040.htm#3dodpatch# 3dodpatch> EXECUTIVE SUMMARY/IMPACT There are two vulnerabilities that have been identified affecting Macromedia Flash plug-ins. Macromedia Flash is a widely distributed application and is used to create simple motion graphics, video and animation for interactive websites. A plug-in adds a specific feature or service to a larger system, such as Macromedia Flash. The first vulnerability affects the Macromedia Flash Action Define Function Memory Access plug-in. This plug-in is vulnerable to an input validation error, which is when data that's entered exceeds the accepted boundaries of the application. This violation causes the application to crash, creating a Denial of Service (DoS). The second vulnerability affects the Macromedia Flash Array Index Memory Access plug-in. This plug-in is also vulnerable to an input validation error, except it is exploited by entering non-standard code into the application causing it to crash, creating the DoS. This occurs when an intruder would entice a user to download the malicious code. These vulnerabilities could result in an intruder gaining full access, executing non-standard code or causing a DoS. Macromedia Flash 6 and 7 are affected by both these vulnerabilities. The JTF-GNO has not received any reports of DoD incidents in regard to these vulnerabilities. However, a public Proof of Concept is currently circulating in the wild. TECHNICAL OVERVIEW Macromedia Flash ActionDefineFunction Memory Access Vulnerability and Macromedia Flash Array Index Memory Access Vulnerability The Flash plug-in is vulnerable to an input validation error that may be exploited to execute arbitrary code or carry out a Denial of Service (DoS) attack. These vulnerabilities exists when data that's entered exceeds the accepted boundaries of the application. These vulnerabilities are triggered by inadequate bounds validation for indexes of certain arrays. Inadequate input values, that use fields from the Shock Wave File (SWF) file, could allow an intruder to specify a function causing arbitrary code to be executed. An intruder may exploit these vulnerabilities by creating a malicious SWF file with specific data field values. The intruder would then entice a user to download the malicious file. This will happen automatically on many systems if users visit a website hosting the malicious SWF file. Macromedia Flash Array Index Memory Access Vulnerability is also vulnerable to a Denial of Service (DoS) attack. VULNERABLE SYSTEMS Macromedia Flash 6.0.0 Microsoft Internet Explorer 5.0.0 Microsoft Internet Explorer 5.0.1 Microsoft Internet Explorer 5.0.1 SP1 Microsoft Internet Explorer 5.0.1 SP2 Microsoft Internet Explorer 5.5.0 Microsoft Internet Explorer 5.5.0 preview Microsoft Internet Explorer 5.5.0 SP1 Microsoft Internet Explorer 5.5.0 SP2 Microsoft Internet Explorer 6.0.0 Netscape Communicator 4.6.0 Netscape Communicator 4.7.0 Netscape Communicator 4.51.0 Netscape Communicator 4.61.0 Netscape Communicator 4.72.0 Netscape Communicator 4.73.0 Netscape Communicator 4.74.0 Netscape Communicator 4.75.0 Netscape Communicator 4.76.0 Netscape Communicator 4.77.0 Netscape Communicator 4.78.0 Netscape Communicator 6.1.0 Macromedia Flash 6.0.29 .0 Macromedia Flash 6.0.40 .0 Macromedia Flash 6.0.47 .0 Macromedia Flash 6.0.65 .0 Macromedia Flash 6.0.79 .0 Macromedia Flash 7.0.0 r19 Macromedia Flash 7.0.19 .0 Microsoft Windows 98 Microsoft Windows 98SE Microsoft Windows ME Microsoft Windows XP Home SP1 Microsoft Windows XP Home SP2 Microsoft Windows XP Media Center Edition SP1 Microsoft Windows XP Media Center Edition SP2 Microsoft Windows XP Professional SP1 Microsoft Windows XP Professional SP2 Microsoft Windows XP Professional x64 Edition 2S.u.S.E. Linux Personal 9.0.0 S.u.S.E. Linux Personal 9.0.0 x86_64 S.u.S.E. Linux Personal 9.1.0 S.u.S.E. Linux Personal 9.1.0 x86_64 S.u.S.E. Linux Professional 9.0.0 S.u.S.E. Linux Professional 9.0.0 x86_64 S.u.S.E. Linux Professional 9.1.0 S.u.S.E. Linux Professional 9.1.0 x86_64 REQUIRED COMPLIANCE ACTIONS Apply the vendor upgrade. 3DoD Patch Repository https://patches.mont.disa.mil/metadata.jsp?ID=69022&asset=104371 Macromedia Patch Repository Macromedia Flash Player 8 http://www.macromedia.com/go/getflash NOTICE: This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. _______________________________________________ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders _______________________________________________ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders