[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] iDefense Security Advisory 02.24.09: Adobe Flash Player Invalid Object Reference Vulnerability



"iDefense has confirmed the existence of this vulnerability in latest version 
of Flash Player, version 9.0.124.0."

What am I missing here? Flash 9.0.124 has been out since April 2008 and the 
version of Flash 9 on my computer is 9.0.154.

Ray

> Date: Tue, 24 Feb 2009 13:33:11 -0500
> From: labs-no-reply@xxxxxxxxxxxx
> To: bugtraq@xxxxxxxxxxxxxxxxx; vulnwatch@xxxxxxxxxxxxx; 
> full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] iDefense Security Advisory 02.24.09: Adobe Flash 
> Player Invalid Object Reference Vulnerability
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> iDefense Security Advisory 02.24.09
> http://labs.idefense.com/intelligence/vulnerabilities/
> Feb 24, 2009
> 
> I. BACKGROUND
> 
> Adobe Flash Player is a very popular web browser plugin. It is available
> for multiple web browsers and platforms, including Windows, Linux and
> MacOS. Flash Player enables web browsers to display rich multimedia
> content, such as online videos, and is often a requirement for popular
> websites.
> 
> For more information, see the vendor's site found at the following link.
> 
> http://www.adobe.com/products/flashplayer
> 
> II. DESCRIPTION
> 
> Remote exploitation of a invalid object reference vulnerability in Adobe
> Systems Inc.'s Flash Player could allow an attacker to execute arbitrary
> code with the privileges of the current user.
> 
> During the processing of a Shockwave Flash file, a particular object can
> be created, along with multiple references that point to the object. The
> object can be destroyed and its associated references removed. However a
> reference can incorrectly remain pointing to the object. The invalid
> object resides in uninitialized memory, which the attacker may control
> to gain arbitrary execution control.
> 
> III. ANALYSIS
> 
> Exploitation of this vulnerability results in the execution of arbitrary
> code with the privileges of the user viewing the web page. To exploit
> this vulnerability, a targeted user must load a malicious Shockwave
> Flash file created by an attacker. An attacker typically accomplishes
> this via social engineering or injecting content into a compromised,
> trusted site.
> 
> Utilizing various techniques, an attacker is able to re-allocate and
> control the memory used by the destroyed object. This allows the
> attacker to subvert execution when a virtual function is called via the
> invalid reference.
> 
> IV. DETECTION
> 
> iDefense has confirmed the existence of this vulnerability in latest
> version of Flash Player, version 9.0.124.0. Previous versions may also
> be affected.
> 
> Exploitation of this vulnerability was tested on Windows XP SP3 and
> Windows Vista SP1. iDefense believe that all platforms supported by
> Flash Player are affected by this vulnerability, including Linux and
> MacOS.
> 
> V. WORKAROUND
> 
> A Internet Explorer plugin is available to temporarily block and unblock
> Flash content using a single click. Only trusted sites should be
> unblocked when using this plugin. More information is available at
> http://flash.melameth.com.
> 
> A Firefox plugin is available to temporarily block and unblock Flash
> content using a single click. Only trusted sites should be unblocked
> when using this plugin. More information is available at:
> http://flashblock.mozdev.org.
> 
> VI. VENDOR RESPONSE
> 
> Adobe has released a patch which addresses this issue. For more
> information, consult their advisory (APSB09-01) at the following URL:
> 
> http://www.adobe.com/support/flashplayer/
> 
> VII. CVE INFORMATION
> 
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> name CVE-2009-0520 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org/), which standardizes names for
> security problems.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 08/25/2008  - Initial Contact
> 09/22/2008  - PoC Requested
> 11/05/2008  - PoC Sent
> 11/06/2008  - Clarification requested
> 12/05/2008  - Clarification Sent
> 12/07/2008  - Additional Clarification Sent
> 02/19/2009  - Draft bulletin received
> 02/24/2009  - Coordinated Public Disclosure
> 
> IX. CREDIT
> 
> This vulnerability was reported to iDefense by Javier Vicente Vallejo,
> http://www.vallejo.cc.
> 
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
> 
> Free tools, research and upcoming events
> http://labs.idefense.com/
> 
> X. LEGAL NOTICES
> 
> Copyright © 2009 iDefense, Inc.
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS condition.
>  There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFJpD1jbjs6HoxIfBkRApISAJwPJQ+NVFVuunwT3xQ8oBwPOBIgKACfR6FI
> CDuo0gjNPYmFcp/qNk0zL/g=
> =3Cf1
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
It’s the same Hotmail®. If by “same” you mean up to 70% faster. 
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_HM_AE_Same_022009
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/