VUPEN Security Research - Adobe Flash ExternalInterface Use-After-Free Code Execution (Pwn2Own)
Website : http://www.vupen.com
Twitter : http://twitter.com/vupen
Adobe Flash Player is a cross-platform browser-based application runtime that delivers viewing of expressive applications, content, and videos across screens and browsers. It is installed on 98% of computers.
VUPEN Vulnerability Research Team discovered a critical vulnerability in Adobe Flash.
The vulnerability is caused by a use-after-free error when interacting with the "ExternalInterface" class from the browser, which could be exploited to achieve code execution via a malicious web page.
Adobe Flash versions prior to 18.104.22.168
Upgrade to Adobe Flash v22.214.171.124.
This vulnerability was discovered by VUPEN Security.
VUPEN is the leading provider of defensive and offensive cyber security intelligence and advanced zero-day research. All VUPEN's vulnerability intelligence results exclusively from its internal and in-house R&D efforts conducted by its team of world-class researchers.
VUPEN Solutions: http://www.vupen.com/english/services/
http://helpx.adobe.com/security/products/flash-player/apsb14-09.html http://zerodayinitiative.com/advisories/ZDI-14-092/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0506
2014-01-28 - Vulnerability Discovered by VUPEN Security 2014-03-13 - Vulnerability Reported to Adobe During Pwn2Own 2014 2014-04-08 - Vulnerability Fixed by Adobe 2014-04-14 - Public disclosure