[Flashcoders] Flash security advisories from U.S. Navy/Marines?
Anyone know anything about this? See the report below. This would effectively bring our Flash work with the U.S. Navy and Marine Corp to a screeching halt. The NMCI gold disk is the standard install of software for all computers in the Navy and Marines. Flash 7 was previously approved - now it looks like they could begin removing it from machines. It would be a long while before they approve Flash 8. And we were just about to propose a Flex option for them too. :-( Anyone know anything about this security issue? From: * Sent: Friday, December 02, 2005 1:28 PM To: Subject: FW: Flash security advisories FYI... The NMCI just blocked access to ALL swf files from their web servers (.mil domains) yesterday. We'll have to see how this plays out. ** -Original Message- From: * Sent: Thursday, December 01, 2005 4:50 PM Read below. Security vulnerabilities have been discovered in Flash. I received notice from Camp Pendleton that NMCI has once again blocked Flash mobile code from .mil networks. I confirmed with MCNOSC and asked for the info below. If we haven't already received any calls from anyone on .mil expressing issue viewing Flash activity on our site, we will soon. Apparently Macromedia recommends going to Flash Player version 8. We will meet tomorrow morning at 0930 in the CR to discuss the problem and alternative solutions. The policy will need to be reinstated by MCEN DAA to open the door again for Flash. Thanks, -Original Message- From: *** Sent: Thursday, December 01, 2005 1:46 PM To: * Subject: Flash security advisories http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html IAVA extract: Joint Task Force - Global Network Operations (JTF-GNO) Information Assurance Vulnerability Alert 2005-A-0040 TOPIC: Multiple Vulnerabilities in Macromedia Flash REFERENCE: Macromedia http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html Security Focus http://www.securityfocus.com/bid/15332/info http://www.securityfocus.com/bid/15322/info http://www.securityfocus.com/advisories/9646 2 http://www.securityfocus.com/advisories/9728 CVE NUMBER(s): CAN-2005-2628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2628 Macromedia Flash ActionDefineFunction Memory Access Vulnerability STIG FINDING: 1CAT I THREAT ASSESSMENT: High TIMELINE SUMMARY Release Date Acknowledgement Suspense Compliance Suspense 10 November 05 12 November 05 25 November 05 REVISION HISTORY Number Date Details 1 15 Nov -05 Posted STIG FINDING ftp://www.cert.mil/pub/bulletins/dodcert2005/2005-a-0040.htm#1#1 Category. 2 21 Nov 05 Added systems to Vulnerable Systems ftp://www.cert.mil/pub/bulletins/dodcert2005/2005-a-0040.htm#Vul Sys#Vul Sys area Added link to Reference ftp://www.cert.mil/pub/bulletins/dodcert2005/2005-a-0040.htm#SUSE Advisory#SUSE Advisory area 3 29 Nov 05 Added patch link to DoD Patch Repository ftp://www.cert.mil/pub/bulletins/dodcert2005/2005-a-0040.htm#3dodpatch# 3dodpatch EXECUTIVE SUMMARY/IMPACT There are two vulnerabilities that have been identified affecting Macromedia Flash plug-ins. Macromedia Flash is a widely distributed application and is used to create simple motion graphics, video and animation for interactive websites. A plug-in adds a specific feature or service to a larger system, such as Macromedia Flash. The first vulnerability affects the Macromedia Flash Action Define Function Memory Access plug-in. This plug-in is vulnerable to an input validation error, which is when data that's entered exceeds the accepted boundaries of the application. This violation causes the application to crash, creating a Denial of Service (DoS). The second vulnerability affects the Macromedia Flash Array Index Memory Access plug-in. This plug-in is also vulnerable to an input validation error, except it is exploited by entering non-standard code into the application causing it to crash, creating the DoS. This occurs when an intruder would entice a user to download the malicious code. These vulnerabilities could result in an intruder gaining full access, executing non-standard code or causing a DoS. Macromedia Flash 6 and 7 are affected by both these vulnerabilities. The JTF-GNO has not received any reports of DoD incidents in regard to these vulnerabilities. However, a public Proof of Concept is currently circulating in the wild. TECHNICAL OVERVIEW Macromedia Flash ActionDefineFunction Memory Access Vulnerability and Macromedia Flash Array Index Memory Access Vulnerability The Flash plug-in is vulnerable to an input validation error that may be exploited to execute arbitrary code or carry out a Denial of Service (DoS) attack. These vulnerabilities
RE: [Flashcoders] Flash security advisories from U.S. Navy/Marines?
The vulnerabilities were reported on Bugtraq (http://search.securityfocus.com/swsearch?query=macromediasbm=%2Fsubmit=Se arch%21metaname=alldocsort=swishlastmodified) a couple weeks ago. The vulnerabilities involve an attacker creating a malicious .swf file and tricking a user into downloading it, similar to a web site tricking a user into downloading a virus. If you're creating a Flash application/animation for a customer, though, it's obviously not malicious, and thus the application itself is not susceptible to the attack. The problem will be political, though, convincing your DoD customer your application isn't vulnerable. Of course, the reason to ban Flash player is less about interfacing with your benign application, and more about worrying that a user will inadvertently connect to another site that *does* have a malicious .swf file. The bug is in the Flash player, and can lead to compromise of the client's system. -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Merrill, Jason Sent: Friday, December 02, 2005 1:51 PM To: Flashcoders mailing list Subject: [Flashcoders] Flash security advisories from U.S. Navy/Marines? Anyone know anything about this? See the report below. This would effectively bring our Flash work with the U.S. Navy and Marine Corp to a screeching halt. The NMCI gold disk is the standard install of software for all computers in the Navy and Marines. Flash 7 was previously approved - now it looks like they could begin removing it from machines. It would be a long while before they approve Flash 8. And we were just about to propose a Flex option for them too. :-( Anyone know anything about this security issue? From: * Sent: Friday, December 02, 2005 1:28 PM To: Subject: FW: Flash security advisories FYI... The NMCI just blocked access to ALL swf files from their web servers (.mil domains) yesterday. We'll have to see how this plays out. ** -Original Message- From: * Sent: Thursday, December 01, 2005 4:50 PM Read below. Security vulnerabilities have been discovered in Flash. I received notice from Camp Pendleton that NMCI has once again blocked Flash mobile code from .mil networks. I confirmed with MCNOSC and asked for the info below. If we haven't already received any calls from anyone on .mil expressing issue viewing Flash activity on our site, we will soon. Apparently Macromedia recommends going to Flash Player version 8. We will meet tomorrow morning at 0930 in the CR to discuss the problem and alternative solutions. The policy will need to be reinstated by MCEN DAA to open the door again for Flash. Thanks, -Original Message- From: *** Sent: Thursday, December 01, 2005 1:46 PM To: * Subject: Flash security advisories http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html IAVA extract: Joint Task Force - Global Network Operations (JTF-GNO) Information Assurance Vulnerability Alert 2005-A-0040 TOPIC: Multiple Vulnerabilities in Macromedia Flash REFERENCE: Macromedia http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html Security Focus http://www.securityfocus.com/bid/15332/info http://www.securityfocus.com/bid/15322/info http://www.securityfocus.com/advisories/9646 2 http://www.securityfocus.com/advisories/9728 CVE NUMBER(s): CAN-2005-2628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2628 Macromedia Flash ActionDefineFunction Memory Access Vulnerability STIG FINDING: 1CAT I THREAT ASSESSMENT: High TIMELINE SUMMARY Release Date Acknowledgement Suspense Compliance Suspense 10 November 05 12 November 05 25 November 05 REVISION HISTORY Number Date Details 1 15 Nov -05 Posted STIG FINDING ftp://www.cert.mil/pub/bulletins/dodcert2005/2005-a-0040.htm#1#1 Category. 2 21 Nov 05 Added systems to Vulnerable Systems ftp://www.cert.mil/pub/bulletins/dodcert2005/2005-a-0040.htm#Vul Sys#Vul Sys area Added link to Reference ftp://www.cert.mil/pub/bulletins/dodcert2005/2005-a-0040.htm#SUSE Advisory#SUSE Advisory area 3 29 Nov 05 Added patch link to DoD Patch Repository ftp://www.cert.mil/pub/bulletins/dodcert2005/2005-a-0040.htm#3dodpatch# 3dodpatch EXECUTIVE SUMMARY/IMPACT There are two vulnerabilities that have been identified affecting Macromedia Flash plug-ins. Macromedia Flash is a widely distributed application and is used to create simple motion graphics, video and animation for interactive websites. A plug-in adds a specific feature or service to a larger system, such as Macromedia Flash. The first vulnerability affects the Macromedia Flash Action Define Function Memory Access plug-in. This plug-in is vulnerable to an input validation error, which
Re: [Flashcoders] Flash security advisories from U.S. Navy/Marines?
Merrill, Jason wrote: Anyone know anything about this? See the report below. It sounds like they're talking about the security advisory released last month, which is addressed by either (a) on modern operating systems using the current Macromedia Flash Player, 8.0 generation; or (b) on Win95, WinNT, classic Mac or Linux, using the updated 7.x Players. http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html For what it's worth, I just did a quick Google search, and the SWF I checked were still playing: http://www.google.com/search?q=inurl:mil+macromedia Thanks for the heads-up, though, I'll spread the word here. Seems like their normal software update process should do it...? jd -- John Dowdell . Macromedia Developer Support . San Francisco CA USA Weblog: http://www.macromedia.com/go/blog_jd Aggregator: http://www.macromedia.com/go/weblogs Technotes: http://www.macromedia.com/support/ Spam killed my private email -- public record is best, thanks. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
RE: [Flashcoders] Flash security advisories from U.S. Navy/Marines?
Nevermind (unless you happen to know more about what the Navy/Marines are going to do about it - that would be good to know.) I referenced this in my own post: http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html Jason Merrill | E-Learning Solutions | icfconsulting.com NOTICE: This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
RE: [Flashcoders] Flash security advisories from U.S. Navy/Marines?
Thanks John. I know Macromedia has worked wonders with the NMCI folks before, maybe you can do it again. Jason Merrill | E-Learning Solutions | icfconsulting.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Dowdell Sent: Friday, December 02, 2005 2:29 PM To: Flashcoders mailing list Subject: Re: [Flashcoders] Flash security advisories from U.S. Navy/Marines? Merrill, Jason wrote: Anyone know anything about this? See the report below. It sounds like they're talking about the security advisory released last month, which is addressed by either (a) on modern operating systems using the current Macromedia Flash Player, 8.0 generation; or (b) on Win95, WinNT, classic Mac or Linux, using the updated 7.x Players. http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html For what it's worth, I just did a quick Google search, and the SWF I checked were still playing: http://www.google.com/search?q=inurl:mil+macromedia Thanks for the heads-up, though, I'll spread the word here. Seems like their normal software update process should do it...? jd NOTICE: This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] Flash security advisories from U.S. Navy/Marines?
Merrill, Jason wrote: Thanks John. I know Macromedia has worked wonders with the NMCI folks before, maybe you can do it again. ... and thanks for the heads-up, Jason, staffers here are already in touch with their .MIL contacts to resolve it ;-) jd -- John Dowdell . Macromedia Developer Support . San Francisco CA USA Weblog: http://www.macromedia.com/go/blog_jd Aggregator: http://www.macromedia.com/go/weblogs Technotes: http://www.macromedia.com/support/ Spam killed my private email -- public record is best, thanks. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
RE: [Flashcoders] Flash security advisories from U.S. Navy/Marines?
Fantastic John. I know from my Flex sales rep (Matt Troedson), they are using Flex in a few places in the Navy already... should be resolvable I would think. Jason Merrill | E-Learning Solutions | icfconsulting.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Dowdell Sent: Friday, December 02, 2005 3:39 PM To: Flashcoders mailing list Subject: Re: [Flashcoders] Flash security advisories from U.S. Navy/Marines? Merrill, Jason wrote: Thanks John. I know Macromedia has worked wonders with the NMCI folks before, maybe you can do it again. ... and thanks for the heads-up, Jason, staffers here are already in touch with their .MIL contacts to resolve it ;-) jd NOTICE: This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders