Adobe has delivered three new bulletins warning about a critical code injection vulnerability that could allow an attacker to take over a system. The two primary platforms affected--Flash Media Server 2.0.4 and Adobe Connect Enterprise Server--are enterprise applications.
As Adobe increasingly becomes a Webtop standard via Flash, PDF and other formats it will have to step up its security game. Adobe is big enough to carry a major target on its back and last week delivered a patch for Adobe Reader.
In Flash Media Server, Adobe detailed a vulnerability that could allow an attacker to take control of a system. To patch this flaw, Adobe recommends updating to Flash Media Server 2.0.5. The CVE numbers in question include: CVE-2007-6431, CVE-2007-6148, CVE-2007-6149.
Vulnerabilities have been identified in Adobe Flash Media Server 2.0.4 and earlier that could potentially allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. An attacker would need to be able to connect to TCP port 1935 or TCP port 19350 to exploit these issues. Adobe recommends Flash Media Server administrators update their product installations. This issue is remotely exploitable.
Sebastian Apelt and Sean Larsson of iDefense Labs discovered the issue. Their analysis noted that the Adobe Flash Media Server issue gives hackers an unlimited number of chances to get their attack right.
Exploitation of these vulnerabilities results in the execution of arbitrary code with SYSTEM level privileges. In order to exploit these vulnerabilities, an attacker only needs the ability to connect to the target server on TCP port 1935 or 19350. Unsuccessful attempts at exploitation will likely result in the Edge server crashing. After crashing, the Edge server will be restarted automatically. This gives an attacker an unlimited number of attempts at exploitation.
This same vulnerability also impacts Adobe Connect Enterprise Server 6. Adobe recommends that users upgrade to the Adobe Connect 6 Service Pack 3 update.
Separately Adobe delivered a patch for RoboHelp 6, RoboHelp 7 for a cross-site scripting attack vulnerability (CVE-2008-0642).