Comments on: BID 24856 - Flash Player SWF Vulnerability http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability/ Information Security Think Tank Tue, 06 Jan 2009 18:53:07 +0000 http://wordpress.org/?v=2.7 hourly 1 By: ·¨-=[WHK]=-¨· » Archive » Vulnerabilidades en Flash Player permiten tomar el control total de un usuario afectado http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability/comment-page-1/#comment-43086 ·¨-=[WHK]=-¨· » Archive » Vulnerabilidades en Flash Player permiten tomar el control total de un usuario afectado Sat, 25 Aug 2007 05:11:10 +0000 http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability#comment-43086 [...] Adobe Flash Player 9.0.28.0 Adobe Flash Player 8.0.34.0 Adobe Flash Player 7.0.69.0 Fuentes: http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability http://www.securityfocus.com/bid/24856 [...] [...] Adobe Flash Player 9.0.28.0 Adobe Flash Player 8.0.34.0 Adobe Flash Player 7.0.69.0 Fuentes: http://www.gnucitizen.org/blog.....nerability http://www.securityfocus.com/bid/24856 [...]

]]> By: ascii http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability/comment-page-1/#comment-37583 ascii Sat, 28 Jul 2007 22:50:55 +0000 http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability#comment-37583 @Giorgio Maone: let me see... thanks for your understanding, responsible disclosure MEANS that "it WAS big", if not it's not responsible disclosure. @Giorgio Maone: let me see… thanks for your understanding, responsible disclosure MEANS that “it WAS big”, if not it’s not responsible disclosure.

]]> By: Awesome AnDrEw http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability/comment-page-1/#comment-37430 Awesome AnDrEw Sat, 28 Jul 2007 02:59:37 +0000 http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability#comment-37430 Lovely example, but I wouldn't necessarily get too crazy on making the Nintendo Wii crash as it's easily done simply browsing normal pages. This is a pretty cool idea though seeing as how most services now use Flash players supporting the FLV file format, and generally use some shotty script to get the URL of the media from a variable in the address. Lovely example, but I wouldn’t necessarily get too crazy on making the Nintendo Wii crash as it’s easily done simply browsing normal pages. This is a pretty cool idea though seeing as how most services now use Flash players supporting the FLV file format, and generally use some shotty script to get the URL of the media from a variable in the address.

]]> By: Giorgio Maone http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability/comment-page-1/#comment-36757 Giorgio Maone Mon, 23 Jul 2007 22:38:18 +0000 http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability#comment-36757 @Stefano: I agree on the impact of slow patch deployment on mobile devices, and I've been already contacted for some NoScript portings, actually. Again thanks for the responsible disclosure and for your detailed and enjoyable advisory. -- There’s a browser safer than Firefox… http://noscript.net @Stefano:
I agree on the impact of slow patch deployment on mobile devices, and I’ve been already contacted for some NoScript portings, actually.

Again thanks for the responsible disclosure and for your detailed and enjoyable advisory.

There’s a browser safer than Firefox… http://noscript.net

]]> By: pdp http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability/comment-page-1/#comment-36749 pdp Mon, 23 Jul 2007 21:54:46 +0000 http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability#comment-36749 Giorgio, Stefano is right. It will take some time to upgrade all flash instances. So, the bug is very serious. In fact, I am sure that someone will take it and make into a worm of some sort. BTW, 10x to Stefano and his team responsible disclosure the impact is a lot less significant. Stefano, always. The research is worthed. Giorgio, Stefano is right. It will take some time to upgrade all flash instances. So, the bug is very serious. In fact, I am sure that someone will take it and make into a worm of some sort. BTW, 10x to Stefano and his team responsible disclosure the impact is a lot less significant.

Stefano, always. The research is worthed.

]]> By: Stefano http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability/comment-page-1/#comment-36709 Stefano Mon, 23 Jul 2007 16:19:40 +0000 http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability#comment-36709 @Giorgio, even if there's a Flash player/plugin new version think about wii or smart phones with flash lite installed.... when vendors will fix it with an update? @Pdp, thank for you kind words and for this blog entry!:) @Giorgio,
even if there’s a Flash player/plugin new version think about wii or smart phones with flash lite installed….
when vendors will fix it with an update?

@Pdp, thank for you kind words and for this blog entry!:)

]]> By: Giorgio Maone http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability/comment-page-1/#comment-36691 Giorgio Maone Mon, 23 Jul 2007 14:31:41 +0000 http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability#comment-36691 OK, I had a chance to watch the Symantec video and finally realized how really scary this bug was. The video starts with "Example 1: Windows with Firefox", but even before they open the compromised FLV, the attack has already transformed Firefox into Internet Explorer 6 for better exploitation, OMG!!! -- There’s a browser safer than Firefox… http://noscript.net OK, I had a chance to watch the Symantec video and finally realized how really scary this bug was.

The video starts with “Example 1: Windows with Firefox”, but even before they open the compromised FLV, the attack has already transformed Firefox into Internet Explorer 6 for better exploitation, OMG!!!

There’s a browser safer than Firefox… http://noscript.net

]]> By: pdp http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability/comment-page-1/#comment-36686 pdp Mon, 23 Jul 2007 13:51:57 +0000 http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability#comment-36686 Giorgio, you are right. Never the less I though it might be a good idea to mention the bug and also point out where the credits are due. :) Giorgio,

you are right. Never the less I though it might be a good idea to mention the bug and also point out where the credits are due. :)

]]> By: Giorgio Maone http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability/comment-page-1/#comment-36676 Giorgio Maone Mon, 23 Jul 2007 12:07:06 +0000 http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability#comment-36676 Not to play the devil's advocate, but "it WAS big". Stefano and Giorgio did responsible disclosure, thus the Flash Player plugin registered in my default Firefox profile (version 9.0r47) is not vulnerable. Since, let me see... July 10th 2007... 13 days now? Anyway Minded Security's advisory is very worth reading, many thanks for the pointer :) -- There's a browser safer than Firefox... http://noscript.net Not to play the devil’s advocate, but “it WAS big”.

Stefano and Giorgio did responsible disclosure, thus the Flash Player plugin registered in my default Firefox profile (version 9.0r47) is not vulnerable.

Since, let me see… July 10th 2007… 13 days now?

Anyway Minded Security’s advisory is very worth reading, many thanks for the pointer :)

There’s a browser safer than Firefox… http://noscript.net

]]>