September 2, 2012

Timeline for Fix of an Arbitrary Address Write Bug

In today's post I'm writing about an arbitrary address write bug in Flash Player in Firefox (CVE-2012-4171) that is now fixed.

The issue was reported to Mozilla, but the fix made by Adobe as it turned out it was a bug in the Flash Player. The bug was tracked in Mozilla's bug tracking system (BugZilla) here [still restricted at the time of writing].

To trigger this vulnerability there is no requirement to use malformed data in any way. All the constructs can be legitimate. The PoC demonstrates when the security dialog box is shown it is possible to navigate to an other page that pops up another security dialog while the first dialog is still visible. When the second dialog is OK'd Flash Player crashes.

Below code snippet demonstrates the vulnerable code path.
mov     ecx,dword ptr [esi+4]           *(1)
<STRIPPED>
mov     esi,ecx
add     dword ptr [esi+1B8h],0FFFFFFFFh *(2)
At line (1) [ESI+4] is an address in a valid heap region. The heap can be arranged to contain user controlled data. Therefore, at line (2) an attacker can write arbitrary address using add instruction. Due to depending on add instruction the attacker has limited control what data to write.

Below is the timeline for the fix.
Days Date Channel Action
0 days 25-Jan-2010 E-mailReport sent to Mozilla.
0 days 25-Jan-2010 E-mailMozilla confirms the behavior described in the report. A case opened in the bug tracking database (BugZilla).
731 days 26-Jan-2012 BugZillaA Mozilla engineer says he can reproduce the issue with Firefox 9 on Windows 7 but cannot reproduce with nightly build.
731 days 26-Jan-2012 BugZilla An Adobe engineer says they will triage this issue ASAP.
749 days 13-Feb-2012 BugZilla A Mozilla engineer asks for status update from Adobe.
749 days 13-Feb-2012 BugZilla An Adobe engineer confirms he cannot reproduce the crash.
749 days 13-Feb-2012 BugZilla An Adobe engineer confirms he can reproduce the crash by experimenting with waiting times before clicking "OK" on the prompt.
749 days 13-Feb-2012 BugZilla Reporter recommends to switch off plugin-container introduced since the report to get consistent crash state.
779 days 14-March-2012 E-mailReporter asks for status update, and points out the existing testcase reliably crashes Firefox when plugin-container disabled.
779 days 14-March-2012 E-mailMozilla confirm there is no other update on the case, than seen in BugZilla. Mozilla asks to put additional information about crashes.
780 days 15-March-2012 BugZilla Reporter adds additional information about crashes.
780 days 15-March-2012 E-mailReporter asks for an estimation of the date of the fix.
780 days 15-March-2012 E-mailMozilla confirm they don't have an estimation. They say to have to see what the developers can do with it in the short term.
780 days 15-March-2012 E-mailIn response to an earlier email Mozilla say "flash bugs are often slow to be fixed".
805 days 9-Apr-2012 E-mailReporter decided to share crash information with CERT, and asked if they can help motivating the vendor to issue a patch.
805 days 9-Apr-2012 E-mailCERT confirm they have spoken with the vendor.
806 days 10-Apr-2012 BugZilla Mozilla say they effectively mitigated this issue with out of process plugins and they require a testcase which crashes Firefox in an exploitable manner.
806 days 10-Apr-2012 BugZilla Reporter responses that existing testcase crashes Firefox in 1/10 ratio on reporter side. With plugin-container disabled it crashes Firefox in 10/10 ratio.
807 days 11-Apr-2012 BugZilla An Adobe engineer confirms they cannot reproduce the issue.
808 days 12-Apr-2012 BugZilla Reporter recommends to disable plugin-container to get a consistent crash state. Reporter also highlights plugin container is just a mitigation that could be bypassed.
808 days 12-Apr-2012 BugZilla A Mozilla Security Researcher asks how the plugin-container could be bypassed.
808 days 12-Apr-2012 BugZilla Reporter highlights attack surfaces but he also states discussing how to bypass mitigation is out of the scope of this bug.
814 days 18-Apr-2012 BugZilla Adobe say they have a good set of test cases for this issue now, and this will be fixed in the following release.
861 days 4-June-2012 BugZilla Adobe confirm it is fixed in 11.4.400.128. [This seems to be an internal build]
939 days 21-Aug-2012 WebFix released in 11.4.402.265. To see Adobe's Security Bulletin click here.
N/A 27-Aug-2012 BugZilla Adobe confirm 11.4.402.265 is released on 21st of August and mark the bug as fixed.
N/A 29-Aug-2012 E-mailReporter checks Adobe's Security Bulletin and realizes this bug is not mentioned in it. Asks Adobe regarding CVE number.
N/A 30-Aug-2012 E-mailAdobe confirm the Security Bulletin has been updated with the CVE number.
This timeline contains the technically important communications. If you are aware of that I missed something that you think is important to mention, please let me know and I'll update this page.

Thanks for those who involved from Mozilla, Adobe and CERT.
  This blog is written and maintained by Attila Suszter. Read in Feed Reader.