VUPEN Security Research - Adobe Flash ExternalInterface Use-After-Free
Code Execution (Pwn2Own)
Website : http://www.vupen.com
Twitter : http://twitter.com/vupen
Adobe Flash Player is a cross-platform browser-based application runtime
that delivers viewing of expressive applications, content, and videos
across screens and browsers. It is installed on 98% of computers.
VUPEN Vulnerability Research Team discovered a critical vulnerability
in Adobe Flash.
The vulnerability is caused by a use-after-free error when interacting
with the "ExternalInterface" class from the browser, which could be
exploited to achieve code execution via a malicious web page.
Adobe Flash versions prior to 13.0.0.182
Upgrade to Adobe Flash v13.0.0.182.
This vulnerability was discovered by VUPEN Security.
VUPEN is the leading provider of defensive and offensive cyber security
intelligence and advanced zero-day research. All VUPEN's vulnerability
intelligence results exclusively from its internal and in-house R&D
efforts conducted by its team of world-class researchers.
VUPEN Solutions: http://www.vupen.com/english/services/
http://helpx.adobe.com/security/products/flash-player/apsb14-09.html
http://zerodayinitiative.com/advisories/ZDI-14-092/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0506
2014-01-28 - Vulnerability Discovered by VUPEN Security
2014-03-13 - Vulnerability Reported to Adobe During Pwn2Own 2014
2014-04-08 - Vulnerability Fixed by Adobe
2014-04-14 - Public disclosure