Executive Summary

Summary
Title Windows XP Macromedia Flash 6 ActiveX control use-after-free vulnerability
Informations
Name VU#204889 First vendor Publication 2010-01-12
Vendor VU-CERT Last vendor Modification 2010-01-15
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#204889

Windows XP Macromedia Flash 6 ActiveX control use-after-free vulnerability

Overview

The Macromedia Flash ActiveX control that is provided with Windows XP contains a memory corruption vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Microsoft Windows XP provides the Macromedia Flash ActiveX control. Depending on the patch level of the system, it may be provided by either flash.ocx or flash6.ocx. This ActiveX control contains a use-after-free vulnerability, which can result in heap memory corruption. Note that this vulnerability does not affect systems that have Flash 9 or later installed, as newer versions of the Flash installer will replace the Macromedia Flash control that is provided by Windows.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.

III. Solution

We are unaware of a practical solution to this problem. Please see Microsoft Security Advisory (979267) for some workarounds, including:

Disable the Flash ActiveX control in Internet Explorer

The Flash ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

    {D27CDB6E-AE6D-11cf-96B8-444553540000}
More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    "Compatibility Flags"=dword:00000400
    [HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftInternet ExplorerActiveX Compatibility{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    "Compatibility Flags"=dword:00000400
Remove Flash

Adobe has provided instructions for removing the Flash 6 ActiveX control. Alternatively, a utility has been provided to automatically remove the Flash ActiveX control and plug-in.

Apply an update

This issue can be mitigated by installing the latest version of Adobe Flash. Flash 6 is no longer supported, and installing Adobe Flash 10 will replace the existing Flash ActiveX control(s).

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Systems Affected

VendorStatusDate NotifiedDate Updated
AdobeVulnerable2008-06-192010-01-12
Microsoft CorporationVulnerable2008-06-192010-01-12

References


http://www.microsoft.com/technet/security/advisory/979267.mspx
http://get.adobe.com/flashplayer/
http://kb2.adobe.com/cps/141/tn_14157.html
http://kb2.adobe.com/cps/127/tn_12727.html
http://secunia.com/advisories/27105/3/
http://secunia.com/secunia_research/2007-77/

Credit

This vulnerability was reported by Will Dormann of the CERT/CC, based on information provided by Chad Dougherty of the CERT/CC.

This document was written by Will Dormann.

Other Information

Date Public:2010-01-12
Date First Published:2010-01-12
Date Last Updated:2010-01-15
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:4.05
Document Revision:21

Original Source

Url : http://www.kb.cert.org/vuls/id/204889

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-416 Use After Free

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:7580
 
Oval ID: oval:org.mitre.oval:def:7580
Title: Use-after-free vulnerability in Adobe Flash Player 6.0.79
Description: Use-after-free vulnerability in Adobe Flash Player 6.0.79, as distributed in Microsoft Windows XP SP2 and SP3, allows remote attackers to execute arbitrary code by unloading a Flash object that is currently being accessed by a script, leading to memory corruption, aka a "Movie Unloading Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2010-0378
 Version: 13
Platform(s): Microsoft Windows XP
Microsoft Windows 7
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows Server 2012
Microsoft Windows 8.1
Microsoft Windows Server 2012 R2
 Product(s): Adobe Flash Player
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

OpenVAS Exploits

Date Description
2010-01-13 Name : Adobe Flash Player Remote Code Execution Vulnerability (WinXP)
File : nvt/gb_adobe_flash_player_remote_code_exec_vuln_winxp.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
61905 Adobe Flash Player on Windows Use-after-free Movie Unloading Memory Corruption

Nessus® Vulnerability Scanner

Date Description
2010-01-18 Name : The Flash ActiveX control installed on the remote Windows host has multiple v...
File : smb_kb_979267.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-02-17 12:07:35
  • Multiple Updates
2013-05-11 00:56:55
  • Multiple Updates