ID CVE-2006-3311
Summary Buffer overflow in Adobe Flash Player 8.0.24.0 and earlier, Flash Professional 8, Flash MX 2004, and Flex 1.5 allows user-assisted remote attackers to execute arbitrary code via a long, dynamically created string in a SWF movie.
References
Vulnerable Configurations
  • cpe:2.3:a:adobe:flash_player:8:-:pro
    cpe:2.3:a:adobe:flash_player:8:-:pro
  • cpe:2.3:a:adobe:flash_player:8.0.24.0
  • cpe:2.3:a:adobe:flash_player:mx_2004
    cpe:2.3:a:adobe:flash_player:mx_2004
  • Adobe Flex 1.5
    cpe:2.3:a:adobe:flex_sdk:1.5
CVSS
Base: 5.1 (as of 13-09-2006 - 13:50)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Windows
    NASL id FLASH_PLAYER_9.NASL
    description According to its version number, the instance of Flash Player on the remote Windows host is affected by arbitrary code execution and denial of service issues. By convincing a user to visit a site with a specially crafted SWF file, an attacker may be able to execute arbitrary code on the affected host or cause the web browser to crash.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 22056
    published 2006-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22056
    title Flash Player Multiple Vulnerabilities (APSB06-11)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FLASH-PLAYER-2072.NASL
    description Multiple input validation errors have been identified in Flash Player that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user's web browser, email client, or other applications that include or reference the Flash Player. (CVE-2006-3311, CVE-2006-3587, CVE-2006-3588) These updates include changes to prevent circumvention of the 'allowScriptAccess' option. (CVE-2006-4640)
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27219
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27219
    title openSUSE 10 Security Update : flash-player (flash-player-2072)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_4_8.NASL
    description The remote host is running a version of Mac OS X 10.4.x that is prior to 10.4.8. Mac OS X 10.4.8 contains several security fixes for the following programs : - CFNetwork - Flash Player - ImageIO - Kernel - LoginWindow - Preferences - QuickDraw Manager - SASL - WebCore - Workgroup Manager
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 22476
    published 2006-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22476
    title Mac OS X 10.4.x < 10.4.8 Multiple Vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_7C75D48C429B11DBAFAE000C6EC775D9.NASL
    description Adobe reports : Multiple input validation errors have been identified in Flash Player 8.0.24.0 and earlier versions that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user?s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2006-3311, CVE-2006-3587, CVE-2006-3588) These updates include changes to prevent circumvention of the 'allowScriptAccess' option. (CVE-2006-4640)
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 22341
    published 2006-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22341
    title FreeBSD : linux-flashplugin7 -- arbitrary code execution vulnerabilities (7c75d48c-429b-11db-afae-000c6ec775d9)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FLASH-PLAYER-2065.NASL
    description Multiple input validation errors have been identified in Flash Player that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user's web browser, email client, or other applications that include or reference the Flash Player. (CVE-2006-3311 / CVE-2006-3587 / CVE-2006-3588) These updates include changes to prevent circumvention of the 'allowScriptAccess' option. (CVE-2006-4640)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29432
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29432
    title SuSE 10 Security Update : flash-player (ZYPP Patch Number 2065)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2006-006.NASL
    description The remote host is running a version of Mac OS X 10.3 which does not have the security update 2006-006 applied. Security Update 2006-006 contains several security fixes for the following programs : - CFNetwork - Flash Player - QuickDraw Manager - SASL - WebCore
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 22479
    published 2006-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22479
    title Mac OS X Multiple Vulnerabilities (Security Update 2006-006)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200610-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-200610-02 (Adobe Flash Player: Arbitrary code execution) The Adobe Flash Player contains multiple unspecified vulnerabilities. Impact : An attacker could entice a user to view a malicious Flash file and execute arbitrary code with the rights of the user running the player. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 22506
    published 2006-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22506
    title GLSA-200610-02 : Adobe Flash Player: Arbitrary code execution
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0674.NASL
    description An updated Adobe Flash Player package that fixes security issues is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. The flash-plugin package contains a Firefox-compatible Adobe Flash Player browser plug-in. Security issues were discovered in the Adobe Flash Player. It may be possible to execute arbitrary code on a victim's machine if the victim opens a malicious Adobe Flash file. (CVE-2006-3311, CVE-2006-3587, CVE-2006-3588) Users of Adobe Flash Player should upgrade to this updated package, which contains version 7.0.68 and is not vulnerable to this issue. Red Hat would like to thank Adobe for notifying us of these issues.
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 63833
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63833
    title RHEL 3 / 4 : flash-plugin (RHSA-2006:0674)
oval via4
accepted 2013-04-15T04:00:20.020-04:00
class vulnerability
contributors
  • name Robert L. Hollis
    organization ThreatGuard, Inc.
  • name Dragos Prisaca
    organization Gideon Technologies, Inc.
  • name Brian Stull
    organization SAINT Corporation
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment Microsoft Windows XP (x86) SP2 is installed
    oval oval:org.mitre.oval:def:754
  • comment Microsoft Windows XP (x86) SP3 is installed
    oval oval:org.mitre.oval:def:5631
  • comment Microsoft Windows XP SP1 (64-bit) is installed
    oval oval:org.mitre.oval:def:480
description Buffer overflow in Adobe Flash Player 8.0.24.0 and earlier, Flash Professional 8, Flash MX 2004, and Flex 1.5 allows user-assisted remote attackers to execute arbitrary code via a long, dynamically created string in a SWF movie.
family windows
id oval:org.mitre.oval:def:394
status accepted
submitted 2006-11-15T12:28:05
title SWF Movie Arbitrary Code Execution Vulnerability
version 56
redhat via4
advisories
rhsa
id RHSA-2006:0674
refmap via4
apple APPLE-SA-2006-09-29
bid 19980
bugtraq 20060912 Computer Terrorism (UK) :: Incident Response Centre - Adobe/Macromedia Flash Player Vulnerability
cert
  • TA06-275A
  • TA06-318A
cert-vn VU#451380
confirm http://www.adobe.com/support/security/bulletins/apsb06-11.html
gentoo GLSA-200610-02
misc http://www.computerterrorism.com/research/ct12-09-2006.htm
ms MS06-069
sectrack 1016829
secunia
  • 21865
  • 21901
  • 22054
  • 22187
  • 22268
  • 22882
sreason 1546
suse SUSE-SA:2006:053
vupen
  • ADV-2006-3573
  • ADV-2006-3577
  • ADV-2006-3852
  • ADV-2006-4507
xf flashplayer-swf-string-bo(28886)
Last major update 07-03-2011 - 21:38
Published 12-09-2006 - 19:07
Last modified 18-10-2018 - 12:46
Back to Top