(Vendor Issues Fix and Disputes One Claim) Re: Macromedia ActiveX Flash Player Heap Overflow Will Execute Arbitrary Code in Malicious Flash Content
SecurityTracker Alert ID: 1005654|
SecurityTracker URL: http://securitytracker.com/id/1005654
(Links to External Site)
Date: Nov 19 2002
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 6.0 (6,0,47,0)|
A heap overflolw vulnerability was reported in the Macromedia Flash player's ActiveX component for Microsoft Windows. A remote user can execute arbitrary code on the target user's system.|
A remote user can create malicious Flash content that, when viewed by the target user, will cause arbitrary code to be executed on the target user's computer. The code will run with the privileges of the target user.
Demonstration exploit code is available at:
The vendor has reportedly been notified.
SECURITY.NNOV credits LOM <lom at lom.spb.ru> with discovering the flaw.
A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user.|
Macromedia reports that Flash Player 6 was released with the fix for the double free() bug back in March 2002 and that the current version of the Flash Player ships with the latest version (1.1.4) of zlib.|
Macromedia confirms that the SW Remote parameter tag can be triggered to crash the Flash Player, but indicates that they could not reproduce an exploitable buffer overflow (to execute code). The denial of service bug has reportedly been fixed in their publicly available beta software, available at:
In both cases, Macromedia indicates that they worked directly with the reporter to resolve these issues.
Vendor URL: www.macromedia.com/ (Links to External Site)
|Underlying OS: Windows (Any)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: Re: LOM: Multiple vulnerabilities in Macromedia Flash ActiveX|
Status on the below posting regarding:
1. zlib 1.1.3 double free() bug
2. Buffer overflow in SWRemote parameter for flash object.
1. zlib 1.1.4 double free() bug
Flash Player 6 was released with the fix for the double free() bug back in
March 2002, the player ships with the latest version 1.1.4.
We have not found any exploit of this to date, since we ship with the
2. SW Remote parameter tag
We investigated this issue and worked with LOM <lom at lom.spb.ru> to try
and reproduce this buffer overflow. In all of our testing we could NOT
reproduce a buffer overflow, but there is indeed a crash bug which we have
a fix for in our public beta at
In all of these cases we worked directly with the reporter and resolved
these issues, to be either an issue or a non issue.
Macromedia is committed to security, we take security very seriously.
Flash Player Product Manager
>Author: LOM <lom at lom.spb.ru>
>Product: Macromedia Flash ActiveX 6.0 (6,0,47,0) for Microsoft Internet
>Vendor: Macromedia was contacted on 23 Oct 2002.
>Macromedia flash ActiveX plugin displays .swf files under Internet
>Explorer. Quoting www.macromedia.com: "Over 97.8% of all web users have
>the Macromedia Flash Player".
>Few vulnerabilities were identified: protected memory reading, memory
>consumption DoS and more serious:
> 1. zlib 1.1.3 double free() bug
> 2. Buffer overflow in SWRemote parameter for flash object.
>Last bug is very close to one reported by eEye in May . Probably it
>was not found by eEye because overflow is heap based, so exception is
>triggered on free(). It may be achieved by setting and changing property
>overflow) is exploitable under Internet Explorer. Attached proof of
>concept (by LOM) demonstrates exception triggered in free(). See 
>for exploiting heap overflows,  for exploiting Unicode overflows
>under Internet Explorer.
>Vulnerabilities were discovered by LOM <lom at lom.spb.ru>
>Macromedia was contacted on 23 Oct 2002. The only reply was received on
>29 Oct 2002 that Macromedia will look into these issues.
>Disable ActiveX in Internet Explorer or uninstall flash ActiveX.
>1. Macromedia Shockwave proof of concept
>2. eEye, Macromedia Flash Activex Buffer overflow
>3. w00w00 on Heap Overflows
>4. 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and
> few sidenotes on Unicode overflows in general)
>5. Additional or updated information on this issue