MA-150.022009: MyCERT Special Alert - Adobe Flash Player Invalid Object Reference Vulnerability

1.0 Introduction

MyCERT has been observing an Adobe Flash Player invalid object reference vulnerability being actively exploited in the wild. An attacker can exploit this situation by enticing an unsuspecting victim to open a 'SWF' file or a HTML page that contain 'SWF' file, and execute arbitrary code in the context of the affected application. The Flash player is normally used with a browser such as Mozilla Firefox and Internet Explorer.

2.0 Vulnerability description

Remote exploitation of invalid object reference vulnerability in Adobe Flash Player could allow an attacker to execute arbitrary code with the privileges of the current user.

Based on our analysis, the exploit can be executed when running a Shockwave Flash (SWF) file; a particular object can be created, along with multiple references that point to the object. The object can be destroyed and its associated references removed. However a reference can incorrectly remain pointing to the object. The invalid object resides in uninitialized memory, which the attacker may control to gain arbitrary execution control.

3.0 Software affected

Affected software is Adobe Flash Player, version 9.0.124.0. Previous versions may also be affected.

Exploitation of this vulnerability was tested on Windows XP SP3 and Windows Vista SP1. MyCERT believe that all platforms supported by Flash Player are affected by this vulnerability, including Linux and MacOS.

4.0 Technical Details

Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user viewing the web page. To exploit this vulnerability, a targeted user must load a malicious Shockwave Flash file created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into a compromised, trusted site.

Utilizing various techniques, an attacker is able to re-allocate and control the memory used by the destroyed object. This allows the attacker to subvert execution when a virtual function is called via the invalid reference.

5.0 Solutions and workaround

• Upgrade to Adobe Flash Player version 10.0.22.87. It can be downloaded from this URL : http://get.adobe.com/flashplayer/
  
  
• If user is not able to upgrade the Adobe Flash Player, it is advisable to do the followings:
  
  
  • For Internet Explorer user, download and install Toggle Flash plugin http://flash.melameth.com and allow or unblock Flash content only trusted site.
    
    
  • For Mozilla Firefox user, download and install FlashBlock plugin from http://flashblock.mozdev.org/ and allow or unblock Flash content only trusted site.
    
    
• Browse the Internet with least privilege user to limit the execution of the malicious file.
  
  
• Do not open attachment and/or browse to unknown website received via email from unknown person or unexpected.

Reference

• http://mycert.org.my/en/services/advisories/mycert/2008/main/detail/581/index.html
• http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=773