CVE-2012-1535
published 2012-08-15CVE-2012-1535: Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux allows remote attackers to execute…
PriorityP182high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
70.38%
99.3th percentile
Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted SWF content, as exploited in the wild in August 2012 with SWF content in a Word document.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | flash_player | < 11.3.300.271 | 11.3.300.271 |
| adobe | flash_player | < 11.2.202.238 | 11.2.202.238 |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
| suse | linux_enterprise_desktop | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
SID 23853
snort↗
SID 23854
snort↗
SID 23856
snort↗
SID 23857
snort↗
SIDs 23857 - 23862
snort↗
SID 18546
snort↗
SID 18549
- →Detect SWF content embedded inside Microsoft Word documents — the primary delivery mechanism for this exploit. Snort SIDs 18546 (HTTP) and 18549 (SMTP) cover this generically and would have caught the attack before public disclosure. ↗
- →Hunt for unencoded, unobfuscated heap spray byte sequences inside SWF files delivered via Word documents — the in-the-wild samples contained plaintext heap spray strings with no compression or obfuscation. ↗
- →The exploit specifically targets the ActiveX version of Flash Player for Internet Explorer on Windows; prioritise detection on IE/ActiveX Flash delivery paths. ↗
- →The exploit abuses a kern table integer overflow in OTF font parsing inside Flash; look for SWF files referencing malformed OTF fonts with anomalously large nTables values in the kern header. ↗
- →The Metasploit module forces URIPATH to fewer than 3 characters; short random alphanumeric URIs ending in .swf (e.g. /ab.swf) combined with a companion /pay.txt request from the same client are a strong indicator of exploitation activity. ↗
- →Look for HTTP requests containing an x-flash-version header followed by a .txt payload request from the same session — the Metasploit module uses this pattern to fingerprint the Flash version and serve the correct ROP chain. ↗
- ·Enabling SIDs 18546/18549 (Flash-in-Word detection) may produce false positives in environments where embedding Flash in Word documents is a legitimate business practice; evaluate before deploying in blocking mode. ↗
- ·Simply compressing the malicious SWF would defeat the plaintext heap-spray byte signatures (SIDs 23856–23862); these rules are effective only against the specific unobfuscated in-the-wild samples and should be supplemented with vulnerability-level rules (SIDs 23853/23854). ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5876-f5vv-fv9w: Unspecified vulnerability in Adobe Flash Player before 11
ghsa_unreviewed·2022-05-14
CVE-2012-1535 [HIGH] CWE-20 GHSA-5876-f5vv-fv9w: Unspecified vulnerability in Adobe Flash Player before 11
Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted SWF content, as exploited in the wild in August 2012 with SWF content in a Word document.
VulnCheck
Adobe Flash Player Arbitrary Code Execution Vulnerability
vulncheck·2012·CVSS 7.8
CVE-2012-1535 [HIGH] Adobe Flash Player Arbitrary Code Execution Vulnerability
Adobe Flash Player Arbitrary Code Execution Vulnerability
Unspecified vulnerability in Adobe Flash Player allows remote attackers to execute arbitrary code or cause a denial of service via crafted SWF content.
Affected: Adobe Flash Player
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2012-1535; http://www.cs.cornell.edu/courses/cs6410/2012fa/slides/Symantec_ElderwoodProject_2012.pdf; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-03-24
CISA
Adobe Flash Player Arbitrary Code Execution Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2012-1535 [HIGH] Adobe Flash Player Arbitrary Code Execution Vulnerability
Vulnerability: Adobe Flash Player Arbitrary Code Execution Vulnerability
Affected: Adobe Flash Player
Unspecified vulnerability in Adobe Flash Player allows remote attackers to execute arbitrary code or cause a denial of service via crafted SWF content.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2012-1535
Remediation Due Date: 2022-03-24
Red Hat
flash-plugin: code execution flaw (APSB12-18)
vendor_redhat·2012-08-14·CVSS 7.8
CVE-2012-1535 [HIGH] flash-plugin: code execution flaw (APSB12-18)
flash-plugin: code execution flaw (APSB12-18)
Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted SWF content, as exploited in the wild in August 2012 with SWF content in a Word document.
No detection rules found.
Exploit-DB
Adobe Flash Player 11.3 - Font Parsing Code Execution (Metasploit)
exploitdb·2012-08-20
CVE-2012-1535 Adobe Flash Player 11.3 - Font Parsing Code Execution (Metasploit)
Adobe Flash Player 11.3 - Font Parsing Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 "Adobe Flash Player 11.3 Font Parsing Code Execution",
'Description' => %q{
This module exploits a vulnerability found in the ActiveX component of Adobe
Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the SWF,
it is possible to gain arbitrary remote code execution under the context of the
user, as exploited in the wild.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alexander Gavrun', #Through iDefense
'sinn3r',
'juan vazque
Metasploit
Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow
metasploit
Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow
Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow
This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.3.300.271. By supplying a specially crafted .otf font file with a large nTables value in the 'kern' header, it is possible to trigger an integer overflow, which results in remote code execution under the context of the user. This vulnerability has also been exploited in the wild in limited targeted attacks. Please note in order to ensure reliability, the exploit is forced to modify your URIPATH parameter to less than 3 characters, which may cause possible URIPATH collisions.
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
arXiv
Unsupervised Anomaly-based Malware Detection using Hardware Features
arxiv_fulltext·2014-03-28
Unsupervised Anomaly-based Malware Detection using Hardware Features
Unsupervised Anomaly-based Malware Detection using Hardware Features
1
Adrian Tang 0.2in Simha Sethumadhavan 0.2in Salvatore Stolfo
1in
Department of Computer Science
Columbia University
New York, NY, USA
\atang, simha, sal\@cs.columbia.edu
empty
## Abstract
Recent works have shown promise in using microarchitectural execution
patterns to detect malware programs. These detectors belong to a
class of detectors known as signature-based detectors as they
catch malware by comparing a program's execution pattern (signature)
to execution patterns of known malware programs. In this
work, we propose a new class of detectors --- anomaly-based hardware
malware detectors --- that do not require signatures for malware
detection, and thus can catch a wider range of malware including
potential
Bugzilla
CVE-2012-1535 flash-plugin: code execution flaw (APSB12-18)
bugzilla·2012-08-14·CVSS 7.8
CVE-2012-1535 [HIGH] CVE-2012-1535 flash-plugin: code execution flaw (APSB12-18)
CVE-2012-1535 flash-plugin: code execution flaw (APSB12-18)
Adobe security bulletin APSB12-18 describes one security flaw that could cause Adobe Flash Player to crash and potentially allow an attacker to take control of the affected system:
Adobe has released security updates for Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux. These updates address a vulnerability (CVE-2012-1535) that could cause the application to crash and potentially allow an attacker to take control of the affected system.
There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.
External Reference:
Talos
CVE-2012-1535: Flash 0-day In The Wild
blogs_talos·2012-08-16·CVSS 7.8
CVE-2012-1535 [HIGH] CVE-2012-1535: Flash 0-day In The Wild
Yesterday Adobe released APSB12-18, which addressed CVE-2012-1535. As noted in the Adobe bulletin, the vulnerability has been actively exploited in the wild, though primarily in targeted attacks wrapped in Microsoft Word documents.
The VRT was able to obtain a sample of one of the documents that has been circulating in the wild, and has created several new rules that detect it. While the vulnerability itself is complex - as are most Flash issues - there are several extremely obvious indicators of malicious intent in the file, including plaintext strings and several unencoded, unobfuscated characters commonly associated with heap spray techniques. Given that even compressing the Flash - which is trivial to do, and commonly found in the field - would have obscured these indicators, we're a
Talos
CVE-2012-1535: Flash 0-day In The Wild
blogs_talos·2012-08-16·CVSS 7.8
CVE-2012-1535 [HIGH] CVE-2012-1535: Flash 0-day In The Wild
## CVE-2012-1535: Flash 0-day In The Wild
Yesterday Adobe released APSB12-18 , which addressed CVE-2012-1535 . As noted in the Adobe bulletin, the vulnerability has been actively exploited in the wild, though primarily in targeted attacks wrapped in Microsoft Word documents.
The VRT was able to obtain a sample of one of the documents that has been circulating in the wild, and has created several new rules that detect it. While the vulnerability itself is complex - as are most Flash issues - there are several extremely obvious indicators of malicious intent in the file, including plaintext strings and several unencoded, unobfuscated characters commonly associated with heap spray techniques. Given that even compressing the Flash - which is trivial to do, and commonly found in the field - w
Krebs
Critical Security Fixes from Adobe, Microsoft
blogs_krebs·2012-08-14·CVSS 7.8
[HIGH] Critical Security Fixes from Adobe, Microsoft
Adobe and Microsoft each issued security updates today to fix critical vulnerabilities in their software. Adobe’s fixes include a patch for a Flash Player flaw that is actively being exploited to break into Windows computers. Microsoft’s Patch Tuesday release includes nine patch bundles — more than half of them rated critical — addressing at least 27 security holes in Windows and related software.
The most pressing of the updates Adobe released today is the Flash Player patch, which fixes a critical flaw (CVE-2012-1535) in the ubiquitous media player software. Adobe says there are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Microsoft Word document. The exploit targets the ActiveX version of Flash Player for Int
Krebs
Critical Security Fixes from Adobe, Microsoft – Krebs on Security
blogs_krebs·2012-08-01·CVSS 7.8
[HIGH] Critical Security Fixes from Adobe, Microsoft – Krebs on Security
Adobe and Microsoft each issued security updates today to fix critical vulnerabilities in their software. Adobe’s fixes include a patch for a Flash Player flaw that is actively being exploited to break into Windows computers. Microsoft’s Patch Tuesday release includes nine patch bundles — more than half of them rated critical — addressing at least 27 security holes in Windows and related software.
The most pressing of the updates Adobe released today is the Flash Player patch, which fixes a critical flaw (CVE-2012-1535) in the ubiquitous media player software. Adobe says there are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Microsoft Word document. The exploit targets the ActiveX version of Flash Player for Int
http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-08/msg00012.htmlhttp://marc.info/?l=bugtraq&m=139455789818399&w=2http://rhn.redhat.com/errata/RHSA-2012-1203.htmlhttp://security.gentoo.org/glsa/glsa-201209-01.xmlhttp://www.adobe.com/support/security/bulletins/apsb12-18.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-08/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-08/msg00012.htmlhttp://marc.info/?l=bugtraq&m=139455789818399&w=2http://rhn.redhat.com/errata/RHSA-2012-1203.htmlhttp://security.gentoo.org/glsa/glsa-201209-01.xmlhttp://www.adobe.com/support/security/bulletins/apsb12-18.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-1535
2012-08-15
Published
2022-03-03
Added to CISA KEV
Exploited in the wild