Critical Adobe Flash Player Cross-Site Scripting Vulnerability
( Adobe APSB11-13 )
Summary
A critical cross site scripting vulnerability has been reported in Adobe Flash Player. A remote attacker can exploit this issue by enticing a user to download and view a Flash file that contains malicious ActionScript code. Successful exploitation of this vulnerability could allow the attacker to execute a cross-site scripting attack on the user, allowing the attacker to execute script content in the user's security context.
Details
Adobe Flash Player is a multimedia and application player that renders Shockwave Flash (SWF) files.
The vulnerability is due to an error when processing LoadMovie requests in flash files. A remote attacker can exploit this vulnerability by enticing a user to download and view a Flash file that contains malicious ActionScript code. Successful exploitation of this vulnerability could allow the attacker to execute a cross-site scripting attack on the user, allowing the attacker to execute script in the user's security context.
Affected Products
Flash Player versions 10.3.181.16 and earlier can be exploited by leveraging this vulnerability.
Solution
It is recommended that the security update detailed in the Adobe security bulletin APSB11-13 be deployed as soon as is practical. In the meantime, Check Point's IPS Software Blade provides immediate network protection for unpatched systems in the latest update by detecting and blocking malformed Flash files that contain ActionScript components. For more information see CPAI-2011-284.
Originally Published:
Last Updated: 14-Jun-2011