14 DAY TRIAL // Three of the Vulnerability Lab’s researchers worked together on finding and demonstrating a critical editor Flash component vulnerability on Microsoft’s Bing Service Application.
Security experts Subho Halder, Aditya Gupta and Dev Kar identified the critical severity flaw and reported it to Microsoft on February 7, 2012.
Microsoft responded 2 days later and on March 14 the issue was addressed.
If unaddressed, the remotely exploitable Flash component vulnerability may have allowed an attacker to implement malicious persistent comments while the user was editing or posting via Flash.
The vulnerable module was the Comments&Edit – Flash Input/Output when swf files created with Action Script were loaded.
The screenshots and the proof-of-concept provided to us by Vulnerability Lab show how easily these types of security holes can be remotely exploited, without much user interaction required.
Bing is not as popular as Google, but there are still a lot of people that use it to perform searches and other tasks. This is why any vulnerability can have a devastating impact on the site’s customers if left unattended.
Vulnerability Lab researchers have been doing a good job lately in finding weaknesses and helping website administrators and vendors patch up their products.
Their more recent finds include local file inclusion vulnerabilities in the monitoring tool Pandora FMS 4.0.1, cross-site scripting (XSS) issues on an official site of Adobe, and multiple web vulnerabilities in Wolf and Gazelle Anatasoft Content Management Systems (CMS).
They also helped Barracuda fix a number of web vulnerabilities in its CudaTel Phone Application 2.0.029.1.
On March 14, Gretech released a security update for the popular GOM Player after Ucha Gobejishvili, one of the members of the Lab, identified an “open URL” buffer overflow vulnerability that may have allowed an attacker to cause the application to crash and even execute arbitrary code.
