Adobe warns of Flash Media Server, Connect Enterprise Server vulnerabilities

Summary:Adobe has delivered three new bulletins warning about a critical code injection vulnerability that could allow an attacker to take over a system. The two primary platforms affected--Flash Media Server 2.

Adobe has delivered three new bulletins warning about a critical code injection vulnerability that could allow an attacker to take over a system. The two primary platforms affected--Flash Media Server 2.0.4 and Adobe Connect Enterprise Server--are enterprise applications.

As Adobe increasingly becomes a Webtop standard via Flash, PDF and other formats it will have to step up its security game. Adobe is big enough to carry a major target on its back and last week delivered a patch for Adobe Reader.

In Flash Media Server, Adobe detailed a vulnerability that could allow an attacker to take control of a system. To patch this flaw, Adobe recommends updating to Flash Media Server 2.0.5. The CVE numbers in question include: CVE-2007-6431, CVE-2007-6148, CVE-2007-6149.

Adobe writes:

Vulnerabilities have been identified in Adobe Flash Media Server 2.0.4 and earlier that could potentially allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. An attacker would need to be able to connect to TCP port 1935 or TCP port 19350 to exploit these issues. Adobe recommends Flash Media Server administrators update their product installations. This issue is remotely exploitable.

Sebastian Apelt and Sean Larsson of iDefense Labs discovered the issue. Their analysis noted that the Adobe Flash Media Server issue gives hackers an unlimited number of chances to get their attack right.

Exploitation of these vulnerabilities results in the execution of arbitrary code with SYSTEM level privileges. In order to exploit these vulnerabilities, an attacker only needs the ability to connect to the target server on TCP port 1935 or 19350. Unsuccessful attempts at exploitation will likely result in the Edge server crashing. After crashing, the Edge server will be restarted automatically. This gives an attacker an unlimited number of attempts at exploitation.

This same vulnerability also impacts Adobe Connect Enterprise Server 6. Adobe recommends that users upgrade to the Adobe Connect 6 Service Pack 3 update.

Separately Adobe delivered a patch for RoboHelp 6, RoboHelp 7 for a cross-site scripting attack vulnerability (CVE-2008-0642).

Topics: Enterprise Software, Security, Servers

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.