Tuesday, February 24, 2009

Adobe Flash Player Invalid Object Reference Vulnerability


Remote exploitation of a invalid object reference vulnerability in Adobe Systems Inc.'s Flash Player could allow an attacker to execute arbitrary code with the privileges of the current user.

During the processing of a Shockwave Flash file, a particular object can be created, along with multiple references that point to the object. The object can be destroyed and its associated references removed. However a reference can incorrectly remain pointing to the object. The invalid object resides in uninitialized memory, which the attacker may control to gain arbitrary execution control.


Adobe has just released a security advisory for this vulnerability. The vulnerability affects Adobe Flash Player and earlier. So, patch'em if you got'em.

I was hearing "chatter" about this vulnerability on Twitter this morning...

Then you have the confusing aspect of Adobe's actions in this manner. Why patch the flash player when people are actively exploiting the Reader vulnerability?

On other note, Sourcefire said an analysis of its malware database showed that attackers have been exploiting the Adobe Acrobat / Reader flaw for more than six weeks. Still no word from Adobe on suggested mitigation techniques. Security professionals in the know, still suggest to disable JavaScript.


  1. I read your post and it appears you have linked to my blog as indication that I'm confused between the Flash update advisory from iDefense and the outstanding 0day in reader. If so, I thought I made it pretty clear that these are two different products/patches/updates and advisories. The very heart of the matter is that Adobe appears they will update the new (private) Flash bug prior to the outstanding 0day in reader.


  2. Hey Andrew,

    Thanks for the note. I never meant to indicate that 'you' were confused...just that the the actions of Adobe are confusing - as you point out in your blog entry.

    With that being said, I am confused on why the iDefense Flash Advisory points to official Adobe Reader / Acrobat advisory...given that they are two separate security issues in two different product lines.

  3. The confusion was totally on my side, I missed the "A" and "B" difference.


  4. Thanks for the clarifications.

  5. No worries. It was mostly my fault anyways...