71254 : Adobe Flash AVM2 Action Script Virtual Machine Memory Corruption
Printer | http://osvdb.org/71254 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
18	2581	about 2 years ago	4 months ago	20 times	100%

Timeline

Disclosure Date
2011-03-14

Description

A memory corruption flaw exists in Adobe Flash Player and AIR, and the Authplay.dll component in Reader and Acrobat. The ActionScript Virtual Machine 2 component fails to sanitize user-supplied input when handling certain instruction sequences, resulting in memory corruption. With a specially crafted .swf file, a context-dependent attacker can execute arbitrary code.

Classification

Location: Local / Remote, Context Dependent
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Public, Virus / Malware
Disclosure: Vendor Verified, Discovered in the Wild

Solution

Upgrade to version indicated in vendor advisory, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Adobe Systems Incorporated	Acrobat	9.4.2
	Flash Player	10.2.152.33
	AIR	2.5.1
	Flash Player for Android	10.1.106.16
	Acrobat X	10.0.1
	Reader X	10.0.1
	Adobe Reader	9.4.2

References

Security Tracker: 1025210 1025211 1025238
OVAL ID: 14147
CERT VU: 192052
CVE ID: 2011-0609 (see also: NVD)
Secunia Advisory ID: 43751 43757 43772 43856 43864 45607 46322
Bugtraq ID: 46860
ISS X-Force ID: 66078
Metasploit ID: 71254
VUPEN Advisory: ADV-2011-0655 ADV-2011-0656 ADV-2011-0688 ADV-2011-0732
Vendor Specific News/Changelog Entry: http://blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html
http://www.adobe.com/support/security/bulletins/apsb11-06.html
http://www.gentoo.org/security/en/glsa/glsa-201110-11.xml
Vendor Specific Advisory URL: http://blogs.oracle.com/sunsecurity/entry/cve_2011_0609_vulnerability_in
http://www.adobe.com/support/security/advisories/apsa11-01.html
https://hermes.opensuse.org/messages/7722692
Other Advisory URL: http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html
http://googlechromereleases.blogspot.com/2011/03/stable-and-beta-channel-updates_15.html
http://securityreason.com/securityalert/8152
http://www.virustotal.com/file-scan/report.html?id=350943b8187458d880cd47ed881d0695e1373d44ed55a1ff963c631173bff06a-1300270876sample2
http://www.virustotal.com/file-scan/report.html?id=454f624958298bf76c5b7ffa1509159b827856095d41672707fcf6416a818ddb-1300274473sample1
Mail List Post: http://seclists.org/fulldisclosure/2011/Oct/593
News Article: http://www.electronista.com/articles/11/03/15/patch.inbound.for.affected.platform.eventually/
RedHat RHSA: RHSA-2011:0372

Tools & Filters

	52713 52755

Credit

Not Available

CVSSv2 Score

CVSSv2 Base Score = 9.3
Source: nvd.nist.gov | Generated: 2011-03-15 | Disagree?

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Timeline

Description

Classification

Solution

Products

Adobe Systems Incorporated

Acrobat

Flash Player

AIR

Flash Player for Android

Acrobat X

Reader X

Adobe Reader

References

Tools & Filters

Credit

CVSSv2 Score

Comments