Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

DoS vulnerability in Flash player (access violation)

From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 4 Jan 2013 23:56:21 +0200
Hello list!

I want to warn you about Denial of Service vulnerability in Flash player 
plugin for browsers. I've found this vulnerability in June (11.06.2011). 
That time I've wrote about this built-in DoS in new version of Flash player 
as a "surprise" from Adobe (for owners of old browser, because in new 
browsers it worked well).

When in December 2011 I've had conversation with Adobe concerning different 
vulnerabilities in their software, I reminded them about that built-in DoS 
in Flash. I stated that it was intentionally made by Adobe (to drop support 
of old browsers), but Adobe PSIRT declined possibility of such DoS. So I've 
made a videos for them (with normal work of plugin and its crash in browser) 
and after viewing of videos, PSIRT confirmed that Adobe really dropped 
support of old browsers. So it's intended behavior - to DoS a browser at 
every flash-file (it can be even blank swf-file). In December 2012 I've 
uploaded the video (with crash) to YouTube.

-------------------------
Affected products:
-------------------------

Vulnerable are Flash 10.3 (and potentially 10.1 and 10.2) and next versions.

Tested in next versions of flash plugin: Flash 10.0 r42 (works fine), Flash 
10.3 r183 (crashes). Version 10.3 r183 can be seen in the video. Some time 
ago I also checked it in version 11.4 r402 and it works the same as in 10.3 
r183.

----------
Details:
----------

DoS:

This is Denial of Service vulnerability and it's memory corruption (access 
violation).

Video:

http://www.youtube.com/watch?v=3W_5jb17Aus

Attack works in old versions of browsers (particularly on Gecko engine). The 
browser with Flash 10.3 and next versions crashes (at direct view of 
swf-file or web page with embedded flash-file). This happens due to stopping 
of support of old versions of browsers by Adobe (in NPAPI versions of Flash 
player).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: