Author: LOM <lom at lom.spb.ru> Product: Macromedia Flash ActiveX 6.0 (6,0,47,0) Vendor: Macromedia was not contacted Risk: High Remote: Yes Exploitable: Yes
Macromedia flash ActiveX plugin displays .swf files under Internet Explorer.
Few vulnerabilities were identified: protected memory reading, memory consumption DoS and more serious: 1. zlib 1.1.3 double free() bug 2. Buffer overflow in SWRemote parameter for flash object.
Last bug is very close to one reported by eEye in May . This kind of overflows (heap based Unicode overflow) is definitely exploitable under Internet Explorer. Attached proof of concept (by LOM) demonstrates exception triggered in free(). See  for exploiting heap overflows,  for exploiting Unicode overflows under Internet Explorer.
Vulnerabilities were discovered by LOM <lom at lom.spb.ru>