Re: DoS vulnerability in Adobe Flash Player (BSOD)

[Jann Horn <jann () thejh net>]

On Thu, Apr 04, 2013 at 01:24:29AM +0300, MustLive wrote:
> Hello list!
>
> I want to warn you about Denial of Service vulnerability (BSOD) in Adobe
> Flash Player. I've found this vulnerability at 27.01.2013.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable version is Adode Flash 11.5.502.146. Attack works only on AMD/ATI
> video cards.
>
> Adobe have fixed it at 12.02.2013 in their patch APSB13-05
> (https://www.adobe.com/support/security/bulletins/apsb13-05.html), which
> fixed multiple vulnerabilities in flash player. At that Adobe did it
> hiddenly without mentioned about this vulnerability and without referencing
> on me. After my informing in the end of January, they was "checking it"
> during 1,5 months and said, that they can't reproduce this vulnerability (at
> that I've reproduced it on multiple computers with ATI video cards), that
> they don't know anything (the hole was accidentally fixed in APSB13-05) and
> this DoS doesn't related to them.

Sorry, but how can this be a vuln in *Flash*, a *user-space* component, if it
can be used to cause a BSOD, which, as far as I know, means that something bad
happened *in the Kernel*? Sounds to me as if Flash is not the (or at least not
the only) culprit...

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/