[Full-disclosure] Secunia Research: Microsoft Windows Flash Player Movie Unloading Vulnerability

From: Secunia Research <remove-vuln_at_nospam>
Date: Tue Jan 12 2010 - 19:07:52 GMT
To: full-disclosure@lists.grok.org.uk

Secunia Research 12/01/2010

Microsoft Windows Flash Player Movie Unloading Vulnerability -

Table of Contents Affected Software....................................................1 Severity.............................................................2 Description of Vulnerability.........................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9
======================================================================
1) Affected Software

Windows XP SP2 (bundled Flash Player 6.0.79).

NOTE: Other versions may also be affected.

2) Severity

Rating: Highly critical
Impact: System compromise
Where: Remote

3) Description of Vulnerability

Secunia Research has discovered a vulnerability in Flash Player distributed with certain versions of Windows XP, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused by a use-after-free error in the bundled version of Flash Player when unloading Flash objects while these are still being accessed using script code. This can be exploited to corrupt memory via a specially crafted web page.

Successful exploitation allows execution of arbitrary code.

4) Solution

Install the latest version of Adobe Flash Player.

5) Time Table 18/10/2007 - Vendor notified. 18/10/2007 - Vendor response. 01/11/2007 - Microsoft states that the vulnerability is fixed by the patches released in MS06-069. 02/11/2007 - Vendor informed that MS06-069 does not fix the vulnerability, which was tested against a fully patched system. 23/11/2007 - Vendor contacted (status update requested). 23/01/2008 - Vendor contacted (status update requested again). 05/02/2008 - Vendor informed that due to no response to status

requests an advisory will be published in two weeks). 05/02/2008 - Vendor response (vulnerability successfully reproduced

and asks for coordinated disclosure). 07/02/2008 - Vendor informed that disclosure will be coordinated. 18/03/2008 - Vendor provides status update. 02/05/2008 - Vendor provides status update (waiting for Adobe). 15/08/2008 - Status update requested. 19/08/2008 - Vendor provides status update (coordinating with Adobe). 15/06/2009 - Status update requested. 22/06/2009 - Vendor response (working on a solution). 20/11/2009 - Status update requested. Vendor also informed that disclosure of the advisory won't be postponed for much longer.
30/11/2009 - Status update requested again. 30/11/2009 - Vendor response (coordinating with Adobe on recommending users to install the latest version of Adobe Flash Player instead). 07/12/2009 - Vendor informed that Secunia has scheduled the advisory for disclosure on 12th January 2010. 15/12/2009 - Vendor response (more time requested along with draft of Secunia advisory). 21/12/2009 - Draft of Secunia Research advisory sent to the vendor. Vendor also informed that disclosure won't be postponed. 07/01/2010 - Vendor informs that an advisory will be released on 12th January 2010 at the same time as the Secunia advisory is published.
12/01/2010 - Public disclosure.

6) Credits

Discovered by Carsten Eiram and Dyon Balding, Secunia Research.

7) References

The Common Vulnerabilities and Exposures (CVE) project has not currently assigned a CVE identifier for the vulnerability.

8) About Secunia

Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

9) Verification

Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2007-77/

Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: Marc Deslauriers: "[Full-disclosure] [USN-882-1] PHP vulnerabilities"
Previous message: Nick Freeman: "[Full-disclosure] Yoono Firefox Extension - Privileged Code Injection"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]