| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Apr 2014 17:40:31 +0200 From: VUPEN Security Research <advisories@...en.com> To: bugtraq@...urityfocus.com Subject: VUPEN Security Research - Adobe Flash ExternalInterface Use-After-Free Code Execution (Pwn2Own) VUPEN Security Research - Adobe Flash ExternalInterface Use-After-Free Code Execution (Pwn2Own) Website : http://www.vupen.com Twitter : http://twitter.com/vupen I. BACKGROUND --------------------- Adobe Flash Player is a cross-platform browser-based application runtime that delivers viewing of expressive applications, content, and videos across screens and browsers. It is installed on 98% of computers. II. DESCRIPTION --------------------- VUPEN Vulnerability Research Team discovered a critical vulnerability in Adobe Flash. The vulnerability is caused by a use-after-free error when interacting with the "ExternalInterface" class from the browser, which could be exploited to achieve code execution via a malicious web page. III. AFFECTED PRODUCTS --------------------------- Adobe Flash versions prior to 13.0.0.182 IV. SOLUTION ---------------- Upgrade to Adobe Flash v13.0.0.182. V. CREDIT -------------- This vulnerability was discovered by VUPEN Security. VI. ABOUT VUPEN Security --------------------------- VUPEN is the leading provider of defensive and offensive cyber security intelligence and advanced zero-day research. All VUPEN's vulnerability intelligence results exclusively from its internal and in-house R&D efforts conducted by its team of world-class researchers. VUPEN Solutions: http://www.vupen.com/english/services/ VII. REFERENCES ---------------------- http://helpx.adobe.com/security/products/flash-player/apsb14-09.html http://zerodayinitiative.com/advisories/ZDI-14-092/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0506 VIII. DISCLOSURE TIMELINE ----------------------------- 2014-01-28 - Vulnerability Discovered by VUPEN Security 2014-03-13 - Vulnerability Reported to Adobe During Pwn2Own 2014 2014-04-08 - Vulnerability Fixed by Adobe 2014-04-14 - Public disclosure
Powered by blists - more mailing lists