I want to warn you about Denial of Service vulnerability (BSOD) in Adobe------------
Flash Player. I've found this vulnerability on 27.01.2013.
-------------------------
Affected products:
-------------------------
Vulnerable version is Adode Flash 11.5.502.146. Attack works only on AMD/ATI
video cards.
Adobe fixed it on 12.02.2013 in their patch APSB13-05
(https://www.adobe.com/support/security/bulletins/apsb13-05.html), which
fixed multiple vulnerabilities in flash player. At that Adobe did it
quietly without mentioning this vulnerability and without referencing
me. After I informed them at the end of January, they were "checking it"
during 1,5 months and said, that they can't reproduce this vulnerability (at
that I've reproduced it on multiple computers with ATI video cards), that
they don't know anything (the hole was accidentally fixed in APSB13-05) and
this DoS doesn't relate to them.
----------
Details:
----------
Denial of Service (WASC-10):
This is Denial of Service vulnerability, which leads to crash of Operating
System (tested on Windows XP and 7).
Here is video, which demonstrates this vulnerability in Flash:
http://www.youtube.com/watch?v=xi29KZ3LD80
This is a memory corruption (access violation) vulnerability. Which can be
used for BSOD and potentially for remote code execution.
For the attack the flash-file uses VideoJS Flash Component from Zencoder.
I've informed developers of this video player already in beginning of
February.
The attack works in the browsers Firefox and Opera (at that BSOD works only in
Firefox):
In Mozilla Firefox 15.0.1 and 18.0.1 - freezing of the browser (which can't
be closed) and BSOD of the system.
In Mozilla Firefox 3.0.19 and 10.0.7 ESR - no problems (all is working
normally).
In Opera 10.62 - freezing of the browser (which can be closed).
PoC/Exploit:
http://websecurity.com.ua/uploads/2013/Adobe%20Flash%20DoS%20BSOD.rar
To start the exploit place it on web server (e.g. on
localhost), put any mp4-file under name poc.mp4 near poc.htm and start
htm-file (at web server). And then click on speaker image or on area of
video player.
------------
Timeline:
2013.01.27 - found vulnerability.http://websecurity.com.ua
2013.01.28 - recorded video PoC. And in that night informed developers.
2013.02.01 - again informed developers, because they didn't answer. After
that Adobe answered my first letter of commuication.
2013.02.08 - informed developers of VideoJS.
2013.02.12 - Adobe fixed vulnerability and released patch, but still
investigating.
2013.02-03 - during February-March, while Adobe was investigating this
vulnerability, I've sent them information about different tested computers
where hole was working (on ATI cards) and was not working (on nVidia cards).
And sent them all information they needed.
2013.03.02 - announced at my site.
2013.03.13 - Adobe finished investigation.
2013.04.03 - disclosed at my site (http://websecurity.com.ua/6364/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information