Multiple vulnerabilities in Adobe Flash Player

Published: 2014-02-20 00:00:00 | Updated: 2017-01-20
Severity Critical
Patch available YES
Number of vulnerabilities 3
CVE ID CVE-2014-0499
CVE-2014-0498
CVE-2014-0502
CVSSv3 6.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CWE ID CWE-200
CWE-121
CWE-415
Exploitation vector Network
Public exploit Vulnerability #3 is being exploited in the wild.
Vulnerable software Adobe Flash Player
Adobe Flash Player for Linux
Adobe AIR
Vulnerable software versions Adobe Flash Player 12.0.0.70
Adobe Flash Player 12.0.0.44
Adobe Flash Player 12.0.0.38
Adobe Flash Player 12.0.0.41
Adobe Flash Player 12.0.0.43
Adobe Flash Player for Linux 11.2.202.341
Adobe Flash Player for Linux 11.2.202.336
Adobe Flash Player for Linux 11.2.202.335

Show more

Adobe AIR 4.0.0.1628
Adobe AIR 4.0.0.1390
Vendor URL Adobe

Security Advisory

1) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to memory leak error when processing .swf files. A remote attacker can create a specially crafted Web page, trick the victim into visiting it, bypass the ASLR protection mechanism and defeat memory address layout randomization.

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

Note: the vulnerability was being actively exploited.

Remediation

Install update from vendor's website.

External links

https://helpx.adobe.com/security/products/flash-player/apsb14-07.html

2) Stack-based buffer overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.


Remediation

Install update from vendor's website.

External links

https://helpx.adobe.com/security/products/flash-player/apsb14-07.html

3) Double free

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to double free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Remediation

Install update from vendor's website.

External links

https://helpx.adobe.com/security/products/flash-player/apsb14-07.html

Back to List