Fixed: http://helpx.adobe.com/security/products/flash-player/apsb15-01.html

(Note on dates: I calculated 90 days by simply adding three months which is inaccurate; this report may have actually gone over deadline. Going forward, we'll investigate a script to calculate 90 days accurately and automatically in all cases, for consistency in corner-cases.)

Issue has now been fixed for 7+ days, so opening up for public view.

In case anyone bothers to read here: I'd like to state that I think this is a _really_ interesting bug! Being able to programatically corrupt your own bytecode via an ActionScript API is super cool, and particularly unusual in terms of trigger and level of control for a memory corruption.

If I had more time, I'd have written an exploit for this one. Unfortunately, I can't justify spending the time it would take: in Project Zero, we typically only write exploits if we think we might learn something new or gain a particular insight. I think the exploitation would be pretty run-of-the-mill in this case.

Still, this would make an interesting project for anyone learning exploitation. I'd be happy to share ideas if anyone made this their project.  Enjoy!