|Main Archive Page > Month Archives > full-disclosure-uk archives|
NOTE: Other versions may also be affected.
Rating: Highly critical
Impact: System compromise
Secunia Research has discovered a vulnerability in Flash Player distributed with certain versions of Windows XP, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused by a use-after-free error in the bundled version of Flash Player when unloading Flash objects while these are still being accessed using script code. This can be exploited to corrupt memory via a specially crafted web page.
Successful exploitation allows execution of arbitrary code.
Install the latest version of Adobe Flash Player.
requests an advisory will be published in two weeks). 05/02/2008 - Vendor response (vulnerability successfully reproduced
and asks for coordinated disclosure).
07/02/2008 - Vendor informed that disclosure will be coordinated.
18/03/2008 - Vendor provides status update.
02/05/2008 - Vendor provides status update (waiting for Adobe).
15/08/2008 - Status update requested.
19/08/2008 - Vendor provides status update (coordinating with Adobe).
15/06/2009 - Status update requested.
22/06/2009 - Vendor response (working on a solution).
20/11/2009 - Status update requested. Vendor also informed that
disclosure of the advisory won't be postponed for much
30/11/2009 - Status update requested again. 30/11/2009 - Vendor response (coordinating with Adobe on recommending users to install the latest version of Adobe Flash Player instead). 07/12/2009 - Vendor informed that Secunia has scheduled the advisory for disclosure on 12th January 2010. 15/12/2009 - Vendor response (more time requested along with draft of Secunia advisory). 21/12/2009 - Draft of Secunia Research advisory sent to the vendor. Vendor also informed that disclosure won't be postponed. 07/01/2010 - Vendor informs that an advisory will be released on 12th January 2010 at the same time as the Secunia advisory is published.
12/01/2010 - Public disclosure.
Discovered by Carsten Eiram and Dyon Balding, Secunia Research.
The Common Vulnerabilities and Exposures (CVE) project has not currently assigned a CVE identifier for the vulnerability.
Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration:
Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security.
Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general:
Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions:
Secunia offers a FREE mailing list called Secunia Security Advisories:
Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2007-77/
Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/