Macromedia Flash 6 and 7 (Flash.ocx) allows remote attackers to execute arbitrary code via a SWF file with a modified frame type identifier that is used as an out-of-bounds array index to a function pointer.

Updated Macromedia Flash Player packages that fix a security issue are now available.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

The flash-plugin package contains a Mozilla-compatible Macromedia Flash Player browser plug-in.

A buffer overflow bug was discovered in the Macromedia Flash Player.
It may be possible to execute arbitrary code on a victim's machine if the victim opens a malicious Macromedia Flash file. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2628 to this issue.

Users of Macromedia Flash Player should upgrade to these updated packages, which contain version 7.0.61 and are not vulnerable to this issue.

The remote host is running Apple Mac OS X, but lacks Security Update 2006-003. This security update contains fixes for the following applications :
AppKit
ImageIO
BOM
CFNetwork
ClamAV (Mac OS X Server only)
CoreFoundation
CoreGraphics
Finder
FTPServer
Flash Player
KeyChain
LaunchServices
libcurl
Mail
MySQL Manager (Mac OS X Server only)
Preview
QuickDraw
QuickTime Streaming Server
Ruby
Safari

The remote Mac OS X host is running a version of Quicktime prior to 7.1.  The remote version of Quicktime is vulnerable to various integer and buffer overflows involving specially-crafted image and media files.  An attacker may be able to leverage these issues to execute arbitrary code on the remote host by sending a malformed file to a victim and having it opened using QuickTime player.

The remote host is running Apple Mac OS X, but lacks Security Update 2006-003.

This security update contains fixes for the following applications :

AppKit ImageIO BOM CFNetwork ClamAV (Mac OS X Server only) CoreFoundation CoreGraphics Finder FTPServer Flash Player KeyCHain LaunchServices libcurl Mail MySQL Manager (Mac OS X Server only) Preview QuickDraw QuickTime Streaming Server Ruby Safari

The remote host is using a version of curl (or libcurl) that is vulnerable to a remote buffer overflows. To exploit, an attacker would have to set up a rogue web server and entice a curl user into browsing to the malicious server.  Upon successful exploitation, the attacker would be able to execute arbitrary commands with the rights of the web server.

The remote host is affected by the vulnerability described in GLSA-200511-21 (Macromedia Flash Player: Remote arbitrary code execution)

    When handling a SWF file, the Macromedia Flash Player incorrectly     validates the frame type identifier stored in the SWF file which is     used as an index to reference an array of function pointers. A     specially crafted SWF file can cause this index to reference memory     outside of the scope of the Macromedia Flash Player, which in turn can     cause the Macromedia Flash Player to use unintended memory address(es)     as function pointers.
  Impact :

    An attacker serving a maliciously crafted SWF file could entice a     user to view the SWF file and execute arbitrary code on the user's     machine.
  Workaround :

    There is no known workaround at this time.

The remote host is running Apple Mac OS X, but lacks Security Update 2005-009. This security update contains fixes for the following applications :
- Apache2
- Apache_mod_ssl
- CoreFoundation
- curl
- iodbcadmintool
- OpenSSL
- passwordserver
- Safari
- sudo
- syslog 

According to its version number, the instance of Macromedia's Flash Player on the remote host fails to validate the frame type identifier from SWF files before using that as an index into an array of function pointers.  An attacker may be able to leverage this issue using a specially crafted SWF file to execute arbitrary code on the remote host subject to the permissions of the user running Flash Player.

The remote host is using a version of curl (or libcurl) that is vulnerable to a remote buffer overflows. To exploit, an attacker would have to set up a rogue web server that would reply with a malicious NTLM authentication request.  Upon successful exploitation, the attacker would be able to execute arbitrary commands with the rights of the web server.

The remote host is using a version of wget that contains a flaw in the way that it handles NTLM authentication data.  Specifically, a rogue website that returns malformed data during an NTLM authentication session will be able to execute arbitrary code on the local client machine. 

The remote host is running ClamAV, an antivirus application. There are a number of flaws that affect this version of ClamAV, and the vendor recommends upgrading to version 0.88.1 or higher. 

ID	Name	Product	Family	Severity
63830	RHEL 3 / 4 : flash-plugin (RHSA-2005:835)	Nessus	Red Hat Local Security Checks	high
3617	Mac OS X Multiple Vulnerabilities (Security Update 2006-003)	Nessus Network Monitor	Operating System Detection	medium
3616	Quicktime < 7.1 on Mac OS X Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
21341	Mac OS X Multiple Vulnerabilities (Security Update 2006-003)	Nessus	MacOS X Local Security Checks	critical
3318	Curl < 7.15.1 Multiple Remote Overflows	Nessus Network Monitor	Web Clients	critical
20265	GLSA-200511-21 : Macromedia Flash Player: Remote arbitrary code execution	Nessus	Gentoo Local Security Checks	medium
3308	Mac OS X Multiple Vulnerabilities (Security Update 2005-009)	Nessus Network Monitor	Operating System Detection	high
20158	Flash Player < 7.0.60.0 / 8.0.22.0 Multiple Vulnerabilities	Nessus	Windows	high
3256	Curl NTLM Buffer Overflow	Nessus Network Monitor	Web Clients	medium
3255	GNU WGet < 1.10.2 Buffer Overflow	Nessus Network Monitor	Web Clients	medium
3505	ClamAV < 0.88.1 Multiple Vulnerabilities (deprecated)	Nessus Network Monitor	Web Clients	medium

Detections

Analytics

CVE-2005-2628

high

Tenable Plugins

high

medium

high

critical

critical

medium

high

high

medium

medium

medium