#VU3087 Heap-based buffer overflow in Adobe Flash Player and Adobe AIR - CVE-2010-1297
Published: January 3, 2017 / Updated: October 5, 2021
Vulnerability identifier: #VU3087
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2010-1297
CWE-ID: CWE-119
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
Adobe Flash Player
Adobe AIR
Adobe Flash Player
Adobe AIR
Software vendor:
Adobe
Adobe
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing .swf files. A remote attacker can create a specially crafted .swf file, trick the victim into opening it, cause heap-based buffer overflow and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Remediation
Install the latest version from vendor's website. The vulnerability is fixed in the following versions:
- Flash Player 10.1.53.64
- AIR 2.0.2.12610
- Flash Professional CS5 10.1.53.64
- Flash CS4 Professional and Flex 4 10.1.53.64
- Flash CS3 Professional and Flex 3 9.0.277.0