Re: Have we just proven that Flash is a pile of crap yet again?
"It's a scripting language, you shouldn't be able to furtle with internal variable details"
You're thinking too high level. JS and AS can both be vulnerable to memory corruption leading to exploitation. You have to exploit a bug to furtle with the vector length value - such as a buffer overflow or use-after-free().
eg, in ActionScript, let's say your plugin's memory looks like this: B = buffer byte, V = vector byte, L is the vector length, and . = empty space. You've got two objects, a buffer and a vector allocated near each other:
BBBB....LVVVV
There's a missing bounds check on the buffer, so you overflow it by writing too much data to it (from your malicious Flash file) and run over the nearby vector. * = the smashed length:
BBBBBBBB*BBVV
So moving the buffer objects well away from the vector objects prevents you from easily overwriting the length value.
Now, you can do this in JavaScript. There are plenty of exploits in the past where a use-after-free() has been exploited to modify memory allocated on the heap.
C.