[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] iDefense Security Advisory 02.24.09: Adobe Flash Player Invalid Object Reference Vulnerability
- To: <labs-no-reply@xxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <vulnwatch@xxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] iDefense Security Advisory 02.24.09: Adobe Flash Player Invalid Object Reference Vulnerability
- From: Ray P <sixsigma98@xxxxxxxxxxx>
- Date: Wed, 25 Feb 2009 00:10:39 +0000
"iDefense has confirmed the existence of this vulnerability in latest version
of Flash Player, version 9.0.124.0."
What am I missing here? Flash 9.0.124 has been out since April 2008 and the
version of Flash 9 on my computer is 9.0.154.
Ray
> Date: Tue, 24 Feb 2009 13:33:11 -0500
> From: labs-no-reply@xxxxxxxxxxxx
> To: bugtraq@xxxxxxxxxxxxxxxxx; vulnwatch@xxxxxxxxxxxxx;
> full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] iDefense Security Advisory 02.24.09: Adobe Flash
> Player Invalid Object Reference Vulnerability
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> iDefense Security Advisory 02.24.09
> http://labs.idefense.com/intelligence/vulnerabilities/
> Feb 24, 2009
>
> I. BACKGROUND
>
> Adobe Flash Player is a very popular web browser plugin. It is available
> for multiple web browsers and platforms, including Windows, Linux and
> MacOS. Flash Player enables web browsers to display rich multimedia
> content, such as online videos, and is often a requirement for popular
> websites.
>
> For more information, see the vendor's site found at the following link.
>
> http://www.adobe.com/products/flashplayer
>
> II. DESCRIPTION
>
> Remote exploitation of a invalid object reference vulnerability in Adobe
> Systems Inc.'s Flash Player could allow an attacker to execute arbitrary
> code with the privileges of the current user.
>
> During the processing of a Shockwave Flash file, a particular object can
> be created, along with multiple references that point to the object. The
> object can be destroyed and its associated references removed. However a
> reference can incorrectly remain pointing to the object. The invalid
> object resides in uninitialized memory, which the attacker may control
> to gain arbitrary execution control.
>
> III. ANALYSIS
>
> Exploitation of this vulnerability results in the execution of arbitrary
> code with the privileges of the user viewing the web page. To exploit
> this vulnerability, a targeted user must load a malicious Shockwave
> Flash file created by an attacker. An attacker typically accomplishes
> this via social engineering or injecting content into a compromised,
> trusted site.
>
> Utilizing various techniques, an attacker is able to re-allocate and
> control the memory used by the destroyed object. This allows the
> attacker to subvert execution when a virtual function is called via the
> invalid reference.
>
> IV. DETECTION
>
> iDefense has confirmed the existence of this vulnerability in latest
> version of Flash Player, version 9.0.124.0. Previous versions may also
> be affected.
>
> Exploitation of this vulnerability was tested on Windows XP SP3 and
> Windows Vista SP1. iDefense believe that all platforms supported by
> Flash Player are affected by this vulnerability, including Linux and
> MacOS.
>
> V. WORKAROUND
>
> A Internet Explorer plugin is available to temporarily block and unblock
> Flash content using a single click. Only trusted sites should be
> unblocked when using this plugin. More information is available at
> http://flash.melameth.com.
>
> A Firefox plugin is available to temporarily block and unblock Flash
> content using a single click. Only trusted sites should be unblocked
> when using this plugin. More information is available at:
> http://flashblock.mozdev.org.
>
> VI. VENDOR RESPONSE
>
> Adobe has released a patch which addresses this issue. For more
> information, consult their advisory (APSB09-01) at the following URL:
>
> http://www.adobe.com/support/flashplayer/
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> name CVE-2009-0520 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org/), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 08/25/2008 - Initial Contact
> 09/22/2008 - PoC Requested
> 11/05/2008 - PoC Sent
> 11/06/2008 - Clarification requested
> 12/05/2008 - Clarification Sent
> 12/07/2008 - Additional Clarification Sent
> 02/19/2009 - Draft bulletin received
> 02/24/2009 - Coordinated Public Disclosure
>
> IX. CREDIT
>
> This vulnerability was reported to iDefense by Javier Vicente Vallejo,
> http://www.vallejo.cc.
>
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
>
> Free tools, research and upcoming events
> http://labs.idefense.com/
>
> X. LEGAL NOTICES
>
> Copyright © 2009 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJpD1jbjs6HoxIfBkRApISAJwPJQ+NVFVuunwT3xQ8oBwPOBIgKACfR6FI
> CDuo0gjNPYmFcp/qNk0zL/g=
> =3Cf1
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_________________________________________________________________
It’s the same Hotmail®. If by “same” you mean up to 70% faster.
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_HM_AE_Same_022009
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/