Adobe Flash Player Upgrades To Fix A Bug

Flash manufacturer Adobe (formally Macromedia) has fixed a virus by using a silent update to version 9.0.28.0. The bug is useful for an attacker using 'flash files' on websites to modify http headers or to conduct 'http request splitting attacks'. Installation of the update can stop hackers from exploiting this vulnerability focusing to disable Internet applications or inject commands into such applications.

According to a security advisory by Adobe, the attack's flexibility depends on the type of web browser one is using.

Adobe regards this exploit as an important and urgent issue and therefore recommends all users of 'Adobe Flash Player 9.0.20.0' and previous versions to upgrade to the latest version 9.0.28.0. The upgrade is available for download from the 'Player Download Center'. Alternatively, one can use the 'auto-update mechanism' within the product when it sends signals.

Earlier in October, responding to a security advisory from 'Rapid7', Adobe confirmed that the flaw could allow an attacker to dysfunction Internet applications or infiltrate commands into the program.

'Rapid7' unfolded two 'HTTP (Hypertext Transfer Protocol) Header Injection' vulnerabilities in the Flash Player 'plug-in'. They enable attackers to carry out arbitrary HTTP requests while manipulating most of the HTTP headers. This facilitates easy performance of CSRF (Cross-Site Request Forgery) attacks in certain cases.

When the HTTP server applies 'Keep-Alive connections' while using 'Firefox', attackers can use these Flash vulnerabilities even to conduct fully arbitrary HTTP requests, which is completely under the control of the attacker. The attacker controls every part: HTTP method, URI, HTTP version, headers, and data. These attacks use 'HTTP Request Splitting' method.

A person attacking a website posing as a legitimate and trusted intruder uses CSRF or XSRF. A CSRF attack can change firewall settings, post illegal data or conduct fraudulent financial transactions.

Security firms have lately warned of W32/Realor worm infecting 'Real Media' files. Researchers working on vulnerabilities are increasingly concentrating on media players. As per the 'National Vulnerability Database', 19 "medium" and "critical" flaws emerged in Apple's 'Quick Time Player', two in 'Real One' and 'Real Player', two in Microsoft's 'Windows Media Player' and three emerged in Adobe's 'Flash Player' in 2006.

Related article: Adobe Rates Acrobat Vulnerabilities “Critical”

» SPAMfighter News - 11/23/2006