lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 05 Jan 2014 22:24:16 +0000
From: sixtyvividtails <>
Subject: Re: DoS vulnerability in Adobe Flash Player (BSOD)

Do you have any plans to release more details regarding this denial of
service vulnerability? BSOD crashdump, may be?

On 2013-12-30 19:11, MustLive wrote:
> Hello list!
> At beginning of this year I informed you about DoS vulnerability in
> Adobe Flash. Look at advisory
> ( with exploit and video
> demonstration ( of previous
> DoS in Flash. Adobe hiddenly fixed it in the patch APSB13-05 and
> answered that "a fix to another hole accidentally fixed this hole".
> And here is a new DoS. Which can be new hole or can be related to old
> one (if Adobe has resurrected old DoS hole in new versions of Flash).
> This is Denial of Service vulnerability in Adobe Flash, which leaded
> to BSOD. Last week I informed Adobe and Mozilla (since attack works
> only in Mozilla browsers).
> -------------------------
> Affected products:
> -------------------------
> Attack works only on AMD/ATI video cards. I checked it on multiple
> computers with Windows XP, Windows 7 and Ubuntu Linux 13.04.
> Vulnerable Adobe Flash 11.9.900.152 and 11.9.900.170 (the last
> version) for Windows and Flash for Linux (the last
> version for this OS). On Linux there is 100% CPU consumption and on
> Windows (XP and 7) there is crash of the OS.
> ----------
> Details:
> ----------
> Denial of Service (WASC-10):
> This is Denial of Service vulnerability, which leads to crash of
> Operating System (tested on Windows XP and 7). As previous DoS hole,
> this one also works only with AMD/ATI video cards (and it works on
> different OS unlike previous DoS in Flash). Also it works potentially
> in any flash media player in Internet - at any web sites, including
> YouTube (it doesn't require swf file of VideoJS, as previous hole).
> This is memory corruption (access violation) vulnerability. Which can
> be used for BSOD and potentially for remote code execution.
> Here is video, which demonstrates this vulnerability in Flash:
> In the video there is web site with JW Player (but freezing and/or
> crashing of the OS happens in any flash video players).
> Attack is going on a browser Firefox (on Windows XP freezing or BSOD
> can be from the first or not from the first time, 100% CPU consumption
> on Linux works all the time). In Mozilla Firefox 3.0.19, 10.0.7 ESR,
> 15.0.1 and 26 - freezing of the browser and BSOD of the OS.
> I have disclosed it at my site (
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> Hosted and sponsored by Secunia -


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists