Source: cve@mitre.org
Macromedia Flash Player 6 does not terminate connections when the user leaves the web page, which allows remote attackers to cause a denial of service (bandwidth, resource, and CPU consumption) via the (1) loadMovie or (2) loadSound commands, which continue to execute until the browser is closed.
Macromedia Flash Player 6 is vulnerable to a denial-of-service (DoS) attack. By leveraging the loadMovie or loadSound commands, attackers can force the player to maintain persistent connections, consuming bandwidth, resources, and CPU until the user closes their browser, effectively rendering the system unusable.
Step 1: Payload Delivery: An attacker crafts a malicious web page containing Flash content that utilizes the loadMovie or loadSound commands. These commands are designed to load external media files, typically from a remote server.
Step 2: User Interaction: A user visits the malicious web page. The Flash content automatically starts loading the specified media files, establishing network connections.
Step 3: Persistent Connections: Even if the user navigates away from the malicious page or closes the browser tab, the Flash Player 6 continues to maintain the established network connections, keeping the media loading process active.
Step 4: Resource Exhaustion: The persistent connections consume bandwidth, server resources, and CPU cycles on the victim's machine and the server hosting the malicious content.
Step 5: Denial of Service: Over time, the accumulation of these persistent connections leads to a denial-of-service condition, as the victim's system becomes overwhelmed by the resource consumption, potentially making the system unresponsive or significantly slow.
The vulnerability stems from a failure in Flash Player 6 to properly manage and terminate network connections initiated by the loadMovie and loadSound functions when the user navigates away from the page. The player continues to stream data, consuming resources indefinitely. The root cause is a lack of proper connection management and cleanup logic within the Flash Player's event handling for page navigation or closure. Specifically, the player doesn't release the resources associated with the loaded media when the user leaves the page or closes the browser window. This leads to persistent connections and resource exhaustion. There is no buffer overflow or race condition involved, but rather a design flaw in connection termination.
This vulnerability is not directly associated with specific APTs or malware campaigns in the present day due to the age of the software. However, the underlying principles of resource exhaustion attacks are still relevant. No CISA KEV status is applicable.
Network traffic analysis: Look for persistent, long-lived connections to external servers initiated by Flash Player processes.
Process monitoring: Identify Flash Player processes consuming excessive CPU or network bandwidth.
Log analysis: Examine web server logs for unusual traffic patterns originating from clients running Flash Player 6 (or older versions).
Endpoint detection and response (EDR) tools: Monitor for unusual network activity or resource consumption by Flash Player processes.
Upgrade to a modern web browser with a current, patched Flash Player or, preferably, disable Flash Player entirely.
Implement network traffic shaping to limit bandwidth consumption from specific processes or IP addresses.
Monitor network traffic for unusual patterns indicative of DoS attacks.
Educate users about the risks of visiting untrusted websites and the importance of keeping software up-to-date.