DesktopLinux
Home  |  News  |  Articles  |  Forum  |  Polls  |  Blogs  |  Videos  |  Resource Library

Keywords: Match:
Vulnerabilities found in Adobe Flash Player plugin
Oct. 18, 2006

Two vulnerabilities have been found in Adobe Flash Player version 7.0.63 for Linux -- as well as earlier versions -- that provide an opportunity for attackers to send arbitrary HTTP requests from an unsuspecting user's browser, reports Rapid7 LLC in a security advisory published Tuesday.

These vulnerabilities could be used in concert with cross-site request forgery (CSRF) vulnerabilities to steal cookies or other private information, Rapid7 said. The exploits can be carried out through the vulnerabilities when Flash 7.0.63 is used with Firefox 1.5.0.6 for Linux.

The two vulnerabilities reported are as follows:
  • XML.addRequestHeader() Vulnerability -- The addRequestHeader() method insufficiently secures itself, providing a way around a security restriction that does not permit developers to use addRequestHeader() to set headers such as Host, Referer or Content-Length. As a result, it is possible to inject arbitrary headers with HTTP requests. The Rapid7 security paper points out that this vulnerability is similar to other, previously-reported vulnerabilities in Adobe Flash 7 and 8.

  • XML.contentType Vulnerability -- The XML.contentType attribute contains the same vulnerability found in the addRequestHeader() and it can be exploited in the same way because Adobe Flash does not check the validity of the attribute's value before building the HTTP request.
According to Rapid7, Adobe was notified of the vulnerabilities but has not yet released a fix or upgrade to Adobe Flash Player. To protect from the risk of attack, Rapid7 offers these solutions in the interim:
  • Only allow trusted Websites to use Flash
  • Use alternative Flash Plugins (GplFlash, Gnash)
  • Uninstall Adobe Flash Player
According to Adobe, there are 700 million Adobe Flash users worldwide.

Rapid7 was founded in 1999 by a team of software industry veterans who were major contributors to product development at Percussion Software, Bond Technologies, and Stride & Associates.



Related Stories:


(Click here for further information)



Home  |  News  |  Articles  |  Forum  |  Polls  |  About  |  Contact
 

Ziff Davis Enterprise Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters
Tech RSS Feeds | ROI Calculators | Tech Podcasts | Tech Video | VARs | Channel News

Baseline | Careers | Channel Insider | CIO Insight | DesktopLinux | DeviceForge | DevSource | eSeminars |
eWEEK | Enterprise Network Security | LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | Networking | PDF Zone |
Publish | Security IT Hub | Strategic Partner | Web Buyer's Guide | Windows for Devices

Developer Shed | Dev Shed | ASP Free | Dev Articles | Dev Hardware | SEO Chat | Tutorialized | Scripts |
Code Walkers | Web Hosters | Dev Mechanic | Dev Archives | igrep

Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2011 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.