Huge Security Exploit In Macromedia Flash Discovered

[zoomforce]

Someone just emailed this to me:

Area of affect:

All SWF plugins on all platforms. I have validated it with the Shockwave
Flash plugins versions 2 through 8. I have validated it on Windows 95, 98,
NT, MacOS 9, Solaris 2.6 and 2.7, and RedHat Linux 6.0. I have validated
it using Netscape (4.04, 4.7) and Internet Explorer.

The buffer overflows are consistent per platform, but vary between
plaforms. (Or in english: A corrupt SWF may crash Netscape on Windows 95,
but only screw up the graphics under Linux. This SWF will always crash
Netscape on Win95 the same way and it will always screw up the Linux
graphics the same way. A different corrupt SWF file could crash the
browser on all platforms.)
The details are on the front page of http://www.cputweak.com

[8minus8]

what's this about? i saw a link earlier but it was in german. i ask cause the page you referenced isn't working.

[flynet]

oh, i think it is useful for me.
8minus8,i rush into the page zoomforce referenced.

[derrickito]

bugs bugs bugs.. macromedia is already on this one from what i have read on the flasher email list

[zoomforce]

Actually the article was posted from the following history:

Reporting history:
(I am including this in case someone decides to sue me.)

Early July 2000:
- Identified the defect.

July 25, 2000:
- Reported defect to Macromedia (call number TWL2000072500018060)

July 26, 2000:
- Reported the defect to CERT, NIPC, and CIAC.

July 30, 2000:
- Contact from "Chris" at Macromedia asking for more information. I
provided details.

August 2000:
- Talked with "Chris" from CERT at Usenix Security conference. He called
it a "sleeper" and said he would look into it. (I know... There were two
guys named "Chris from CERT" -- this was the dark-haired guy.) [As an
aside, isn't there some risk about everybody being named "Chris"?]

December 15, 2000:
- No advisories or notice from Macromedia, CERT, NIPC, or CIAC.

- Macromeda has, during this time, released updates to Shockwave Flash and
these are still vulnerable. (Evidence that they are not invesitigating or
addressing the issue.)

- Decided to post to BugTraq.

- By dumb luck, met a guy at a party who knew a guy who was the sister of
a "senior manager" at Macromedia. Decided to hold off posting.

December 18, 2000:

- Made contact with the manager's brother. Left phone message for sister
at Macromedia.

December 19, 2000:

- Provided details of exploit to Macromedia. Also provided sample SWF
files that perform buffer overflows on various platforms.

December 20, 2000:

- Received the same reply from Macromedia that I did on July 30. (It has
been forwarded to the engineers for investigation.)

- Decided to give them one week to respond before posting to Bugtraq.

December 29, 2000:
- Post to Bugtraq. (In hindsight, I should have done this back in August.)

[8minus8]

hey zoomforce.
thanks for the link actually don't see it on this can you repost. did you notice how many threads you started? i think you hit post new instead of post reply. could you post the new link in this one. btw you can still go back and delete those.

[dcypher*33]

thats interesting cuz my inet explorer has crashed servral times saying error in flashh plugin, somethingorother.ocx ... i thought it wuz my shi**y computer...

[riff]

My shockwave never crashes anything because I don't make corrupt .swf files

Nice bug hunting work I must admit.