New issue
Advanced search Search tips

Issue 595892 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Mar 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Uncontrolled run previous versions of Flash

Reported by mrlionov...@gmail.com, Mar 17 2016

Issue description

VULNERABILITY DETAILS
Run arbitrary versions of Flash Player, and bypass the built-in protection against run old Flash Player

VERSION
Chrome Version: [49.0.2623.87] + [stable]
Operating System: [Windows 7 x64 SP1], [Windows 7 x86 SP1]

REPRODUCTION CASE
In Chrome, you can run older versions of Flash Player, without the user's knowledge.
With the help of this vulnerability can be installed without the user's knowledge vulnerable older Flash version, send it to a website that has a collection of exploits for Flash, and get the desired result.


When ResHacker assistance or Restorator pepflashplayer.dll I patched up to date, and copy it to a folder
C:\Program Files\Google\Chrome\Application\{vesrion}\PepperFlash
C:\Users\{User}\AppData\Local\Google\Chrome\UserData\PepperFlash\{vesrion}\

After that, I open any HTML-page with an exploit for FlashPlayer.


I can write a simple program in Delphi, I can automate the process. Thus, the user will not even know about the source of the virus, and that he had set the old Flash.
 
The solution - a check on the integrity of the file (md5-sum), at least periodically.

Comment 2 by mea...@chromium.org, Mar 17 2016

Status: WontFix (was: Unconfirmed)
Hi, this requires physical access (modifying pepflashplayer.dll), so is out of scope of our threat model. Please see our FAQ for details: https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-


Project Member

Comment 3 by sheriffbot@chromium.org, Jun 24 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment