CVE-2012-0779
published 2012-05-04CVE-2012-0779: Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and before…
PriorityP180critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
85.70%
99.7th percentile
Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and before 11.1.115.8 on Android 4.x allows remote attackers to execute arbitrary code via a crafted file, related to an "object confusion vulnerability," as exploited in the wild in May 2012.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | flash_player | >= 10.3 < 10.3.183.19 | 10.3.183.19 |
| adobe | flash_player | 11.1 – 11.1.111.8 | — |
| adobe | flash_player | 11.1 – 11.1.115.7 | — |
| adobe | flash_player | 11.2 – 11.2.202.233 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
AMF0 "_error" response (corrupt)
- →Exploit is delivered via malicious SWF embedded in a Microsoft Word (.doc) document sent as an email attachment; detect Flash objects invoked from Word documents. ↗
- →Exploit targets Flash Player running inside Internet Explorer (classid ShockwaveFlash.ShockwaveFlash) on Windows only; monitor for Flash ActiveX invocations from IE 6–8 on Windows XP. ↗
- →Exploit uses RTMP protocol (default port 1935) to deliver a corrupt AMF0 '_error' response; monitor for outbound RTMP connections initiated by iexplore.exe or winword.exe. ↗
- →Post-exploitation uses 'migrate -f' as InitialAutoRunScript; monitor for suspicious process migration activity following Flash/IE crashes. ↗
- →Exploit delivered via strategic web compromise (watering-hole); sites serving the exploit included Amnesty International Hong Kong and Center for Defense Information — monitor web proxy logs for SWF downloads from unexpected/low-reputation sites. ↗
- →Access violation crash signature in Flash32: instruction 'mov eax,dword ptr [edx+2Ch]' at Flash32_11_2_202_228!DllUnregisterServer+0x300e84 with edx=44444444 indicates successful type-confusion exploitation; use crash telemetry or WER to detect. ↗
- ·Exploit targets only Internet Explorer 6–8 on Windows XP SP3; other browsers and OS platforms are vulnerable to the CVE but this specific in-the-wild exploit does not target them. ↗
- ·Metasploit module supports ROP chain via msvcrt.dll for IE 8 on XP SP3; stack pivot gadget at 0x77c12100 is msvcrt.dll-specific and may not apply to other patch levels. ↗
- ·Flash Player installed with Google Chrome auto-updates and is not affected by the in-the-wild exploit vector targeting IE. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-52cx-xfmv-v52g: Adobe Flash Player before 10
ghsa_unreviewed·2022-05-14
CVE-2012-0779 [HIGH] GHSA-52cx-xfmv-v52g: Adobe Flash Player before 10
Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and before 11.1.115.8 on Android 4.x allows remote attackers to execute arbitrary code via a crafted file, related to an "object confusion vulnerability," as exploited in the wild in May 2012.
VulnCheck
Adobe Flash Player object confusion Remote Code Execution
vulncheck·2012·CVSS 9.3
CVE-2012-0779 [CRITICAL] Adobe Flash Player object confusion Remote Code Execution
Adobe Flash Player object confusion Remote Code Execution
Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and before 11.1.115.8 on Android 4.x allows remote attackers to execute arbitrary code via a crafted file, related to an "object confusion vulnerability," as exploited in the wild in May 2012.
Affected: Adobe Flash Player
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2012-0779; http://www.cs.cornell.edu/courses/cs6410/2012fa/slides/Symantec_ElderwoodProject_2012.pdf; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758
Red Hat
flash-plugin: arbitrary code execution via object confusion (APSB12-09)
vendor_redhat·2012-05-04·CVSS 9.3
CVE-2012-0779 [CRITICAL] flash-plugin: arbitrary code execution via object confusion (APSB12-09)
flash-plugin: arbitrary code execution via object confusion (APSB12-09)
Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and before 11.1.115.8 on Android 4.x allows remote attackers to execute arbitrary code via a crafted file, related to an "object confusion vulnerability," as exploited in the wild in May 2012.
No detection rules found.
Exploit-DB
Adobe Flash Player - Object Type Confusion (Metasploit)
exploitdb·2012-06-25
CVE-2012-0779 Adobe Flash Player - Object Type Confusion (Metasploit)
Adobe Flash Player - Object Type Confusion (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 OperatingSystems::WINDOWS,
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "8.0",
:method => "GetVariable",
:classid => "ShockwaveFlash.ShockwaveFlash",
:rank => NormalRanking, # reliable memory corruption
:javascript => true
})
def initialize(info={})
super(update_info(info,
'Name' => "Adobe Flash Player Object Type Confusion",
'Description' => %q{
This module exploits a vulnerability found in Adobe Flash
Player. By supplying a corrupt AMF0
Metasploit
Adobe Flash Player Object Type Confusion
metasploit
Adobe Flash Player Object Type Confusion
Adobe Flash Player Object Type Confusion
This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt AMF0 "_error" response, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the "World Uyghur Congress Invitation.doc" e-mail attack. According to the advisory, 10.3.183.19 and 11.x before 11.2.202.235 are affected.
Bugzilla
CVE-2012-0779 flash-plugin: arbitrary code execution via object confusion (APSB12-09)
bugzilla·2012-05-04·CVSS 9.3
CVE-2012-0779 [CRITICAL] CVE-2012-0779 flash-plugin: arbitrary code execution via object confusion (APSB12-09)
CVE-2012-0779 flash-plugin: arbitrary code execution via object confusion (APSB12-09)
Adobe security bulletin APSB12-09 describes a security flaw that can lead to arbitrary code execution when a malicious SWF file is opened in Adobe Flash Player:
These updates address an object confusion vulnerability (CVE-2012-0779) that could cause the application to crash and potentially allow an attacker to take control of the affected system.
There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only.
External References:
http://www.adobe.com/support/security/bulletins/apsb12-09.html
Discussion:
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
Krebs
Multiple Human Rights, Foreign Policy Sites Hacked
blogs_krebs·2012-05-15·CVSS 9.8
[CRITICAL] Multiple Human Rights, Foreign Policy Sites Hacked
A rash of recent and ongoing targeted attacks involving compromises at high-profile Web sites should serve as a sobering reminder of the need to be vigilant about applying browser updates. Hackers have hit a number of prominent foreign policy and human rights group Web sites, configuring them to serve spyware by exploiting newly patched flaws in widely used software from Adobe and Oracle.
The latest reports of this apparent cyberspy activity come from security experts at Shadowserver.org, a nonprofit that tracks malware attacks typically associated with so-called “advanced persistent threat” (APT) actors. APT is a controversial term that means many things to different folks, but even detractors of the acronym’s overuse acknowledge that it has become a useful shorthand for “We’re pretty su
Krebs
Critical Flash Update Fixes Zero-day Flaw
blogs_krebs·2012-05-04·CVSS 9.3
CVE-2012-0779 [CRITICAL] Critical Flash Update Fixes Zero-day Flaw
Adobe Systems Inc. today issued a security update to its Flash Player software. The company stressed that the update fixes a critical vulnerability that malicious actors have been using in targeted attacks.
Adobe classifies a security flaw as critical if it can be used to break into vulnerable machines without any help from users. The company said the vulnerability (CVE-2012-0779) fixed in the version released today has been exploited in targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message, and that the exploit used in the attacks seen so far target Flash Player on Internet Explorer for Windows only.
Nevertheless, there are updates available for Flash Player versions designed for all operating systems that Adobe supports, including M
Krebs
Multiple Human Rights, Foreign Policy Sites Hacked – Krebs on Security
blogs_krebs·2012-05-01·CVSS 9.8
[CRITICAL] Multiple Human Rights, Foreign Policy Sites Hacked – Krebs on Security
A rash of recent and ongoing targeted attacks involving compromises at high-profile Web sites should serve as a sobering reminder of the need to be vigilant about applying browser updates. Hackers have hit a number of prominent foreign policy and human rights group Web sites, configuring them to serve spyware by exploiting newly patched flaws in widely used software from Adobe and Oracle .
The latest reports of this apparent cyberspy activity come from security experts at Shadowserver.org , a nonprofit that tracks malware attacks typically associated with so-called “advanced persistent threat” (APT) actors. APT is a controversial term that means many things to different folks, but even detractors of the acronym’s overuse acknowledge that it has become a useful shorthand for “We’re pretty
Krebs
Critical Flash Update Fixes Zero-day Flaw – Krebs on Security
blogs_krebs·2012-05-01·CVSS 9.3
CVE-2012-0779 [CRITICAL] Critical Flash Update Fixes Zero-day Flaw – Krebs on Security
Adobe Systems Inc. today issued a security update to its Flash Player software. The company stressed that the update fixes a critical vulnerability that malicious actors have been using in targeted attacks.
Adobe classifies a security flaw as critical if it can be used to break into vulnerable machines without any help from users. The company said the vulnerability (CVE-2012-0779) fixed in the version released today has been exploited in targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message, and that the exploit used in the attacks seen so far target Flash Player on Internet Explorer for Windows only.
Nevertheless, there are updates available for Flash Player versions designed for all operating systems that Adobe supports, including M
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-05/msg00005.htmlhttp://osvdb.org/81656http://rhn.redhat.com/errata/RHSA-2012-0688.htmlhttp://secunia.com/advisories/49038http://secunia.com/advisories/49096http://www.adobe.com/support/security/bulletins/apsb12-09.htmlhttp://www.securityfocus.com/bid/53395http://www.securitytracker.com/id?1027023https://exchange.xforce.ibmcloud.com/vulnerabilities/75383http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-05/msg00005.htmlhttp://osvdb.org/81656http://rhn.redhat.com/errata/RHSA-2012-0688.htmlhttp://secunia.com/advisories/49038http://secunia.com/advisories/49096http://www.adobe.com/support/security/bulletins/apsb12-09.htmlhttp://www.securityfocus.com/bid/53395http://www.securitytracker.com/id?1027023https://exchange.xforce.ibmcloud.com/vulnerabilities/75383
2012-05-04
Published
Exploited in the wild