cbcvebase.
CVE-2013-0633
published 2013-02-08

CVE-2013-0633: Buffer overflow in Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262…

PriorityP276critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.88%
97.2th percentile
Buffer overflow in Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262 on Linux, before 11.1.111.32 on Android 2.x and 3.x, and before 11.1.115.37 on Android 4.x allows remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.

Affected

5 ranges
VendorProductVersion rangeFixed in
adobeflash_player>= 10.3 < 10.3.183.5110.3.183.51
adobeflash_player>= 11.1 < 11.1.111.3211.1.111.32
adobeflash_player>= 11.1 < 11.1.115.3711.1.115.37
adobeflash_player>= 11.2 < 11.2.202.26211.2.202.262
adobeflash_player>= 11.5 < 11.5.502.14911.5.502.149

Detection & IOCsextracted from sources · hover to see the quote

otherCVE-2013-0633 targets ActiveX version of Flash Player on Windows (Internet Explorer)
otherCLSID: {D27CDB6E-AE6D-11cf-96B8-444553540000}
otherActiveX method: LoadMovie
otherContent-Type: application/x-shockwave-flash
  • CVE-2013-0633 is delivered via malicious Flash content embedded in a Microsoft Word document sent as an email attachment — hunt for .doc/.docx files containing embedded SWF content.
  • Exploit targets Internet Explorer (ActiveX Flash) exclusively — detections should focus on iexplore.exe spawning child processes or loading suspicious SWF via the Flash ActiveX CLSID {D27CDB6E-AE6D-11cf-96B8-444553540000}.
  • Exploit leverages a predictable SharedUserData address to leak ntdll and bypass ASLR — look for ntdll memory-disclosure patterns or unusual SharedUserData reads in Flash/IE process memory.
  • Metasploit module uses 'migrate -f' as InitialAutoRunScript — watch for iexplore.exe or flash-related processes injecting into or migrating to other processes shortly after SWF load.
  • Exploit SWF is served with a randomised alpha filename (4–7 chars) ending in .swf — network signatures should flag IE fetching randomly-named .swf files with no-cache pragma from exploit kit infrastructure.
  • Exploit targets Flash Player 11.5.x before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 pre-MS13-063 — prioritise detection on unpatched hosts running those OS/Flash combinations.
  • ·The Metasploit module in exploit-db (32959) references CVE-2013-0634 in its metadata/References block, not CVE-2013-0633 — the two CVEs are distinct bugs patched together in APSB13-04; ensure detections are scoped to the correct CVE.
  • ·Vulnerable version ranges differ by platform: Windows/Mac require upgrade to 11.5.502.149+; Linux to 11.2.202.262+; Android 2.x/3.x to 11.1.111.32+; Android 4.x to 11.1.115.37+ — version-based detections must account for all platform branches.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.