|
|
|
|
| |
Credit:
The original article can be found at: http://seclists.org/bugtraq/2011/Feb/119
|
| |
Vulnerable Systems:
* Adobe Flash Player Plugin version 10.1.82.76
* Adobe Flash Player Plugin version 10.1.85.3.
The vulnerability occurs when parsing a maliciously formatted sequence of ActionScript code inside of an Adobe Flash file. The problem exists in a certain ActionScript method. When the method is called with particular parameters, the ActionScript engine gets confused and takes a user supplied value as an object pointer which leads to an exploitable condition.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user viewing the Web page. To exploit this vulnerability, a targeted user must load a malicious Web page created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. After the user visits the malicious Web page, no further user interaction is needed.
Patch Availability:
Adobe has addressed this issue with an update. Further details and patches can be found at the following URL:
http://www.adobe.com/support/security/bulletins/apsb11-02.html
Workaround:
Disable Flash Player plugin by restricting access to Flash Player files, which are usually under C:\WINDOWS\system32\Macromed\Flash\ folder
CVE Information:
CVE-2011-0559
Disclosure Timeline:
09/22/2010 Initial Vendor Notification
09/22/2010 Initial Vendor Reply
02/08/2011 Coordinated Public Disclosure
|
|
|
|
|
