Multiple vulnerabilities in Adobe AIR
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2012-2035 CVE-2012-2036 CVE-2012-2037 CVE-2012-2038 CVE-2012-2039 CVE-2012-2040 CVE-2012-2034 |
| CWE-ID | CWE-121 CWE-20 CWE-119 CWE-264 CWE-476 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #7 is being exploited in the wild. |
| Vulnerable software |
Adobe AIR Client/Desktop applications / Multimedia software |
| Vendor | Adobe |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Stack-based buffer overflow
EUVDB-ID: #VU44003
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2012-2035
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing unspecified vectors. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsAdobe AIR: 1.0 - 3.2.0.2070
CPE2.3- cpe:2.3:a:adobe:adobe_air:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:1.0.8.4990:*:*:*:*:*:*:*
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00006.html
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00007.html
https://rhn.redhat.com/errata/RHSA-2012-0722.html
https://www.adobe.com/support/security/bulletins/apsb12-14.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU44004
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2012-2036
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Integer overflow in Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsAdobe AIR: 1.0 - 3.2.0.2070
CPE2.3- cpe:2.3:a:adobe:adobe_air:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:1.0.8.4990:*:*:*:*:*:*:*
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00006.html
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00007.html
https://rhn.redhat.com/errata/RHSA-2012-0722.html
https://www.adobe.com/support/security/bulletins/apsb12-14.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU44005
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2012-2037
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-2034.
MitigationInstall update from vendor's website.
Vulnerable software versionsAdobe AIR: 1.0 - 3.2.0.2070
CPE2.3- cpe:2.3:a:adobe:adobe_air:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:1.0.8.4990:*:*:*:*:*:*:*
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00006.html
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00007.html
https://rhn.redhat.com/errata/RHSA-2012-0722.html
https://www.adobe.com/support/security/bulletins/apsb12-14.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU44006
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2012-2038
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsAdobe AIR: 1.0 - 3.2.0.2070
CPE2.3- cpe:2.3:a:adobe:adobe_air:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:1.0.8.4990:*:*:*:*:*:*:*
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00006.html
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00007.html
https://rhn.redhat.com/errata/RHSA-2012-0722.html
https://www.adobe.com/support/security/bulletins/apsb12-14.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) NULL pointer dereference
EUVDB-ID: #VU44007
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2012-2039
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via unspecified vectors.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsAdobe AIR: 1.0 - 3.2.0.2070
CPE2.3- cpe:2.3:a:adobe:adobe_air:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:1.0.8.4990:*:*:*:*:*:*:*
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00006.html
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00007.html
https://rhn.redhat.com/errata/RHSA-2012-0722.html
https://www.adobe.com/support/security/bulletins/apsb12-14.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU44008
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2012-2040
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Untrusted search path vulnerability in the installer in Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows local users to gain privileges via a Trojan horse executable file in an unspecified directory. http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path'
MitigationInstall update from vendor's website.
Vulnerable software versionsAdobe AIR: 1.0 - 3.2.0.2070
CPE2.3- cpe:2.3:a:adobe:adobe_air:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:1.0.8.4990:*:*:*:*:*:*:*
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00006.html
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00007.html
https://www.adobe.com/support/security/bulletins/apsb12-14.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU44009
Risk: High
CVSSv4.0: 8.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2012-2034
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-2037.
MitigationInstall update from vendor's website.
Vulnerable software versionsAdobe AIR: 1.0 - 3.2.0.2070
CPE2.3- cpe:2.3:a:adobe:adobe_air:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:1.0.8.4990:*:*:*:*:*:*:*
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00006.html
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00007.html
https://rhn.redhat.com/errata/RHSA-2012-0722.html
https://www.adobe.com/support/security/bulletins/apsb12-14.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
