|
|
|
|
| |
Credit:
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/
|
| |
Vulnerable Systems:
* Adobe Flash Player version 9.0.124.0 and prior
During the processing of a Shockwave Flash file, an object can be created, along with multiple references that point to the object. The object can be destroyed and its associated references removed. However a reference can incorrectly remain pointing to the object. The invalid object resides in uninitialized memory, which the attacker may control to gain arbitrary execution control.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user viewing the web page. To exploit this vulnerability, a targeted user must load a malicious Shockware Flash file created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into a compromised, trusted site.
Patch Availability:
Adobe has released a patch which addresses this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown.
http://www.adobe.com/support/security/bulletins/apsb09-10.html
CVE Information:
CVE-2009-1864
Disclosure Timeline:
08/25/2008 - Initial Contact
11/05/2008 - PoC Sent
05/11/2009 - Tentative disclosure set to August
07/30/2009 - Coordinated public disclosure
X-------------------------------------------------------------------------------------------------------------------------------
Find out more about website security scanning.
|
|
|
|
|
