IBM Finds Critical Vulnerability in Flash Plugin: Get the Patch. Run don't walk.

April 17, 2008

First go to this page and Check your Flash Plug-in version. If it doesn't say you have Flash version: 9,0,124,0, go here and UPGRADE.

You must be running 9,0,124,0

Mark Dowd who is a "X-Force Researcher" for IBM Internet Security Systems published a report titled, Application-Specific Attacks: Leveraging the ActionScript Virtual Machine.

If you are not interested in reading the paper or like me it is entirely over your head, Thomas Ptacek wrote a great point-by-point walkthrough on how Mark uncovered a remote code exploit, which as I understand it allows anyone to literally run malicious code on anyone's computer running Flash with the nasty script he developed.

The flaw isn't easy to exploit. In fact, Thomas Points out that:

This New Vulnerability: Dowd’s Inhuman Flash Exploit

Look at the details of this attack. It’s a weaponized NULL pointer attack that desynchronizes a bytecode verifier to slip malicious ActionScript bytecode into the Flash runtime. If you’re not an exploit writer, think of it this way: you know that crazy version of Super Mario Brothers that Japan refused to ship to the US markets because they thought the difficulty would upset and provoke us? Thisis the exploit equivalent of that guy who played the perfect game of it on YouTube.

http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/

I think that sounds impressive.

Considering Flash's installed base, I would think that this is much more serious than any IE security flaw. The fact that Adobe Flash only checks for updates every 30 days and the "how to" has been published. It makes me wonder why the Adobe Website is not telling people to install the critical patch?

Alternative Post Title:
Adobe p0wned by IBM researcher who discovers serious Security Vulnerability in Flash.