This is the way the world (wide web) ends…

Robert Hensing linked to a post by Thomas Ptacek over on the Matasano Chargen blog. Thomas (who is both a good hacker AND a good writer) has a writeup of a “game-over” vulnerability that was just published by Mark Dowd over at IBM’s ISS X-Force that affects Flash. For those that don’t speak hacker-speak, in this case, a “game-over” vulnerability is one that can be easily weaponized (his techniques appear to be reliable and can be combined to run an arbitrary payload). As an added bonus, because it’s a vulnerability in Flash, it allows the attacker to write a cross-browser, cross-platform exploit – this puppy works just fine in both IE and Firefox (and potentially in Safari and Opera).

This vulnerability doesn’t affect Windows directly, but it DOES show how a determined attacker can take what was previously thought to be an unexploitable failure (a null pointer dereference) and turn it into something that can be used to 0wn the machine.

Every one of the “except not quite” issues that Thomas writes about in the article represented a stumbling block that the attacker (who had no access to the source to Flash) had to overcome – there are about 4 of them, but the attacker managed to overcome all of them.

This is seriously scary stuff.  People who have flash installed should run, not walk over to Adobe to pick up the update.  Please note that the security update comes with the following warning:

“Due to the possibility that these security enhancements and changes may impact existing Flash content, customers are advised to review this March 2008 Adobe Developer Center article to determine if the changes will affect their content, and to begin implementing necessary changes immediately to help ensure a seamless transition.”

Edit2: It appears that the Adobe update center I linked to hasn’t yet been updated with the fix, I followed their update proceedure, and my Flash plugin still had the vulnerable version number. 

Edit: Added a link to the relevant Adobe security advisory, thanks JD.


Comments (27)

  1. Adrian says:

    Who browses with Flash enabled?  Isn’t that just for advertisements, junky amateur videos, and crappy games?

  2. Gideon says:

    I didn’t realize Thomas Ptacek was still around. His paper on vulnerabilities in intrusion detection systems back in the 90’s was fantastic.

  3. Oh Shi- says:

    Goodbye internet… looks like flash is going to /0 us all

  4. Miral says:

    Yeah, this is why the FlashBlock extension should be mandatory 🙂

    (Still, it’s not going to stop those people who "just want to see the dancing bunnies, dammit!")

  5. Magi says:

    Uh flash is used for quite a bit more than that 😐

  6. JD on EP says:

    "Flash vulnerability" story: I’m bumping this up to my weblog, because OS News requires membership for comments, and their source, Thomas Ptacek, has not yet published the comment I submitted. The Mark Dowd paper describes an issue which was addressed

  7. JD, I’ve added your link (and the warning that comes with the security update) to the article.

  8. Dean Harding says:

    Personally, I think the thing that is interesting here is not whether or not the vulnerability itself is already patched or not (nice going with the quick turnaround, though!). The thing that’s interesting is the _amount of work_ that people are willing to put into discovering the vulnerability in the first place!

    Larry: I found that if you have both IE and Firefox with flash installed, you’ve got to download the update TWICE — once with your IE browser, and once more with your Firefox browser. That seems a bit silly to me. As far as I’m concerned, Flash is Flash; whether it’s running in IE or Firefox…

  9. Nathan_works says:

    Larry, please, at least put "0wn" in quotes. Can’t stand that word. Speaks of low men.

  10. John says:

    Nathan:  Seriously.  He should have at least gone with "pwnz0r".

  11. Yuhong Bao says:

    "I found that if you have both IE and Firefox with flash installed, you’ve got to download the update TWICE — once with your IE browser, and once more with your Firefox browser. That seems a bit silly to me. As far as I’m concerned, Flash is Flash; whether it’s running in IE or Firefox…"

    I found out that as well, and it is because Firefox and IE uses different Flash plug-ins

  12. Igor Levicki says:

    Great, now I am just waiting for you to say "Everyone should use SilverLight instead of Flash".

  13. Altivo Overo says:

    Heh. Not the end of the internet, but maybe it would be the end of flash? Bandwidth wasting garbage collector that it is? I suppose that would be asking too much, wouldn’t it?

    I yanked the flash plugin out of Firefox a long time ago. It just eats time and cycles in order to put garbage on the screen that I don’t need or want. Anyone who makes the functionality of their website dependent upon Flash obviously doesn’t want my attention.

  14. Markus III says:

    I haven’t had any version of flash installed on my pcs in over eight years so this is a non-issue for me.  Once a month, maybe, I come across a site that won’t let me do a thing without flash and makes me sigh because I was marginally interested. Oops, their bad, because I just go elsewhere for whatever I was looking to purchase or view or I do without.

    FYI – If you’re too lazy, too "artsy", or too dumb to make your site or your client’s work sans flash then you/they lose my (considerable) business… and NO, nothing anyone offers is unique or valuable enough that it can’t be done without or found elsewhere so the loss is yours rather than mine.

  15. Igor Levicki says:

    @Markus III:

    Take a look at oops, you can’t, you don’t have Flash installed :p

    Seriously, we don’t need ANOTHER Flash clone because that means people will have to have both of them installed thus doubling the security risk.

    Not to mention they will have to chase two sets of updates.

    I wonder how someone so focused on security as Microsoft could have missed that?

  16. NathanM says:

    How about a modest proposal of sorts: (1) robust error handling of out-of-memory conditions continues to be a problem — it requires all allocations to be handled correctly. (2) These NULL pointer derefs can now be weaponized.

    Therefore: (solution) – make all all memory allocations that return NULL call abort() [or the language’s closest equivalent], to protect the app and the user from themselves. Frankly, I’d rather have OS-level support for this kind of behavior.

  17. reader says:


    So you’re saying the OS should crash any apps that doesn’t have enough memory for one single operation?  That seems pretty drastic.  Surely the app writer would rather have a chance to simply display an error message to the user rather than dying an unholy death and taking the user’s work down with the app.

    Besides, if you’re using C++ allocators (ie. new operator), the default behavior is to throw an exception rather than returning a null pointer, so in a sense what you’re proposing is already built into the language.  It’s too late to go back in time and change how C behaves with respect to malloc().


    On another note, it’s technically inaccurate to characterize this exploit as a "a null pointer dereference".  If you read the article you’ll see that what’s being dereferenced is not a null pointer, but rather (null pointer + some offset controllable by the attacker).

  18. Igor Levicki says:


    I hope you never get a job as a software developer or if you already have one I hope you lose it soon if you don’t start using that brain of yours. Such ignorant thinking deserves at least some sort of punishment.

    malloc()’s job is to allocate memory, not to terminate applications. It is on developer to decide how they are going to handle the error and NULL pointer can be handled just fine in most situations.

    What if you have 6 unsaved Word documents and malloc() aborts because there is no room for 7th document you wanted to create? If it aborts all documents are gone. If it returns NULL Word can just say "no memory for another document" and you get the chance to save. Which one would you prefer as a user?

  19. MrBrian says:

    For a much simpler example of this class of exploit, see

  20. Not one of Igor's employees says:

    I’d be calling the unfair dismissal lawyers if I were fired for having a bad idea. There surely would not be much in the way of innovation at any company that _punishes_ people for having bad ideas.

  21. Rob says:

    Igor – Whilst I agree with what you’re saying, I utterly disagree with the *way* in which you said it. "Such ignorant thinking deserves at least some sort of punishment." is just, plain, rude. Manners, please! 🙂

    Larry – "weaponize", is that commonly used in the security field? Either way, I absolutely love it! I suspect my colleagues are going to be driven to utter distraction by the amount I’m going to use it. So much so that any throwable objects on their desks may all of a sudden become weaponized! 😉

  22. Torn says:

    Igor – WTF. No wonder no one likes you.

  23. jeff.s says:

    NathanM used the phrase "a modest proposal" – I think there’s a chance he isn’t even in the neighborhood of being serious.

  24. Igor Levicki says:

    @Not one of Igor’s employees:

    I never said he should be punished for just having bad ideas. We all have a bad idea every now and then.

    He should be punished for advocating bad idea as a _solution_ especially if he attempts to implement it.

    Actually, I got pissed off because of this:

    "to protect the app and the user from themselves."

    I fiind it insulting that someone wants to protect me from myself because I am not a retard, thank you.

    I see a pattern (especially in the USA) where people are asking for protection from all sorts of things just because they refuse to think and be responsible and I don’t like it at all.


    I really do not understand why are you asking me to be polite? Why not ask NathanM not to insult my intelligence with his stupid ideas?


    Not only he used a word "solution" — he misunderstood the exploit because NULL pointer deref cannot be "weaponized" by itself, you need attacker controlled offset.

    He also demonstrated that he doesn’t grasp basic concepts of software by asking for "OS level support" for crashing an application in low memory situation.

    If it was funny I would be the first one to laugh, but it isn’t even close to a joke. If it was a joke, then it is a rather tasteless one.

    Finally, how far will you people go in defending the rights of Individuals to have their say? Is that some finer aspect of democracy I am failing to grasp or what? This planet is in a serious danger of being ruled (and ruined!) by Individuals if we don’t say "no" to them soon.

  25. J.Swift says:

    Igor – you’re probably not familiar w/ English literature. Go look at for where that phrase comes from. Read the whole thing. The whole point is to be a tasteless joke.

    Black hats have a new possible weapon at their disposal. It’s not that hard to scan code for calls to malloc/new, and check what it does. Like strcpy, the code needs to be 100% correct in every call  to it to be safe. One missed check, and it’s "0wnable." How do you ensure that 100% of all code on your box is safe? Or do you just run pure 64-bit code that won’t fail malloc anytime soon?

  26. Marc K says:

    FlashBlock Firefox extension FTW!

  27. Igor Levicki says:


    I am not familiar with English literature and I don’t have to be. I am sure you are not familiar with Serbian literature, but I am not bringing it up as an argument against you or your reasoning.

    The Internet is a global place. Here are some basic rules of writing:

    – Do not use idiomatic or colloquial expressions — many idiomatic expressions have no counterpart in other languages, or their use is inappropriate for the audience.

    – Be extremely cautious using humor. What is funny in one culture might be offensive in another. For example, "Ciao", which means "hello" in Italian, means "drop dead" in Telagu.

    – Use examples and scenarios that are as culturally “generic” as possible. For example, avoid scenarios that involve luxury consumer goods. Do not present a scenario involving gourmet dog food or one that assumes the reader is familiar with how a VCR works.

    – Do not eliminate “understood” words, including "by", "that", and "it". Do not omit verbs and auxiliary verbs. Without these words, many phrases can be interpreted in more than one way.

    Those are just a few of the guidelines you can find in literature on the subject of writing for the global audience.

    NathanM didn’t include universally acceptable joke simbol (a.k.a. smiley) so what he wrote most certainly wasn’t a joke, much less such sofisticated one as you imply.