cbcvebase.
CVE-2012-0779
published 2012-05-04

CVE-2012-0779: Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and before…

PriorityP180critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
85.70%
99.7th percentile
Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and before 11.1.115.8 on Android 4.x allows remote attackers to execute arbitrary code via a crafted file, related to an "object confusion vulnerability," as exploited in the wild in May 2012.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobeflash_player>= 10.3 < 10.3.183.1910.3.183.19
adobeflash_player11.1 – 11.1.111.8
adobeflash_player11.1 – 11.1.115.7
adobeflash_player11.2 – 11.2.202.233

Detection & IOCsextracted from sources · hover to see the quote

filenameWorld Uyghur Congress Invitation.doc
pathdata/exploits/CVE-2012-0779.swf
bytes
AMF0 "_error" response (corrupt)
  • Exploit is delivered via malicious SWF embedded in a Microsoft Word (.doc) document sent as an email attachment; detect Flash objects invoked from Word documents.
  • Exploit targets Flash Player running inside Internet Explorer (classid ShockwaveFlash.ShockwaveFlash) on Windows only; monitor for Flash ActiveX invocations from IE 6–8 on Windows XP.
  • Exploit uses RTMP protocol (default port 1935) to deliver a corrupt AMF0 '_error' response; monitor for outbound RTMP connections initiated by iexplore.exe or winword.exe.
  • Post-exploitation uses 'migrate -f' as InitialAutoRunScript; monitor for suspicious process migration activity following Flash/IE crashes.
  • Exploit delivered via strategic web compromise (watering-hole); sites serving the exploit included Amnesty International Hong Kong and Center for Defense Information — monitor web proxy logs for SWF downloads from unexpected/low-reputation sites.
  • Access violation crash signature in Flash32: instruction 'mov eax,dword ptr [edx+2Ch]' at Flash32_11_2_202_228!DllUnregisterServer+0x300e84 with edx=44444444 indicates successful type-confusion exploitation; use crash telemetry or WER to detect.
  • ·Exploit targets only Internet Explorer 6–8 on Windows XP SP3; other browsers and OS platforms are vulnerable to the CVE but this specific in-the-wild exploit does not target them.
  • ·Metasploit module supports ROP chain via msvcrt.dll for IE 8 on XP SP3; stack pivot gadget at 0x77c12100 is msvcrt.dll-specific and may not apply to other patch levels.
  • ·Flash Player installed with Google Chrome auto-updates and is not affected by the in-the-wild exploit vector targeting IE.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.