Browser Security Test

Adobe Flash Player video file parsing integer overflow (CVE-2007-3456)

Description

Adobe Flash Player is a browser extension that plays Flash movies. By using a specially crafted "flv" video it's possible to trigger an integer overflow inside Adobe Flash interpreter which could lead to client/browser-plugin crash, arbitrary code execution or system denial of service.

This is an arbitrary code execution vulnerability. It means that it can be used to place a backdoor, a virus or spyware on a vulnerable computer.

Recommendations

This problem was fixed in version 9.0.47.0 on Windows, MacOS and Solaris and in version 9.0.48.0 on Linux. Adobe recommends all users of Adobe Flash Player 9.0.45.0 and earlier versions upgrade to the latest available version. The latest version of Adobe Flash player can be downloaded from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

For customers who cannot upgrade to Adobe Flash Player 9, Adobe has developed a patched version of Flash Player 7. Please refer to the Flash Player update TechNote.

To determine what version of Adobe Flash Player you have go to Version test for Adobe Flash Player page.

References

• Adobe security bulletin. Flash Player update available to address security vulnerabilities
• Minded Security Labs: Advisory #MSA01110707. Flash Player/Plugin Video file parsing Remote Code Execution
• Adobe Flash Player Download Center
• Version test for Adobe Flash Player