CVE-2013-0633
published 2013-02-08CVE-2013-0633: Buffer overflow in Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262…
PriorityP276critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.88%
97.2th percentile
Buffer overflow in Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262 on Linux, before 11.1.111.32 on Android 2.x and 3.x, and before 11.1.115.37 on Android 4.x allows remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | flash_player | >= 10.3 < 10.3.183.51 | 10.3.183.51 |
| adobe | flash_player | >= 11.1 < 11.1.111.32 | 11.1.111.32 |
| adobe | flash_player | >= 11.1 < 11.1.115.37 | 11.1.115.37 |
| adobe | flash_player | >= 11.2 < 11.2.202.262 | 11.2.202.262 |
| adobe | flash_player | >= 11.5 < 11.5.502.149 | 11.5.502.149 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2013-0633 is delivered via malicious Flash content embedded in a Microsoft Word document sent as an email attachment — hunt for .doc/.docx files containing embedded SWF content. ↗
- →Exploit targets Internet Explorer (ActiveX Flash) exclusively — detections should focus on iexplore.exe spawning child processes or loading suspicious SWF via the Flash ActiveX CLSID {D27CDB6E-AE6D-11cf-96B8-444553540000}. ↗
- →Exploit leverages a predictable SharedUserData address to leak ntdll and bypass ASLR — look for ntdll memory-disclosure patterns or unusual SharedUserData reads in Flash/IE process memory. ↗
- →Metasploit module uses 'migrate -f' as InitialAutoRunScript — watch for iexplore.exe or flash-related processes injecting into or migrating to other processes shortly after SWF load. ↗
- →Exploit SWF is served with a randomised alpha filename (4–7 chars) ending in .swf — network signatures should flag IE fetching randomly-named .swf files with no-cache pragma from exploit kit infrastructure. ↗
- →Exploit targets Flash Player 11.5.x before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 pre-MS13-063 — prioritise detection on unpatched hosts running those OS/Flash combinations. ↗
- ·The Metasploit module in exploit-db (32959) references CVE-2013-0634 in its metadata/References block, not CVE-2013-0633 — the two CVEs are distinct bugs patched together in APSB13-04; ensure detections are scoped to the correct CVE. ↗
- ·Vulnerable version ranges differ by platform: Windows/Mac require upgrade to 11.5.502.149+; Linux to 11.2.202.262+; Android 2.x/3.x to 11.1.111.32+; Android 4.x to 11.1.115.37+ — version-based detections must account for all platform branches. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rx9m-v5wf-75h4: Buffer overflow in Adobe Flash Player before 10
ghsa_unreviewed·2022-05-14
CVE-2013-0633 [HIGH] CWE-119 GHSA-rx9m-v5wf-75h4: Buffer overflow in Adobe Flash Player before 10
Buffer overflow in Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262 on Linux, before 11.1.111.32 on Android 2.x and 3.x, and before 11.1.115.37 on Android 4.x allows remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.
VulnCheck
Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2013·CVSS 9.3
CVE-2013-0633 [CRITICAL] Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262 on Linux, before 11.1.111.32 on Android 2.x and 3.x, and before 11.1.115.37 on Android 4.x allows remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.
Affected: Adobe Flash Player
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2013-0633; https://securelist.com/adobe-flash-player-0-day-and-hackingteams-remote-control
Red Hat
flash-plugin: multiple code execution flaws (APSB13-04)
vendor_redhat·2013-02-07·CVSS 9.3
CVE-2013-0633 [CRITICAL] flash-plugin: multiple code execution flaws (APSB13-04)
flash-plugin: multiple code execution flaws (APSB13-04)
Buffer overflow in Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262 on Linux, before 11.1.111.32 on Android 2.x and 3.x, and before 11.1.115.37 on Android 4.x allows remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.
No detection rules found.
Krebs
Critical Flash Player Update Fixes 2 Zero-Days
blogs_krebs·2013-02-07·CVSS 9.3
CVE-2013-0634 [CRITICAL] Critical Flash Player Update Fixes 2 Zero-Days
Adobe today pushed out an emergency update that fixes at least two zero-day vulnerabilities in its ubiquitous Flash Player software — flaws that attackers are already exploiting to break into systems. Interestingly, Adobe warns that one of the exploits in use is designed to drop malware on both Windows and Mac OS X systems.
Adobe said in an advisory that one of the vulnerabilities — CVE-2013-0634 – is being exploited in the wild in attacks delivered via malicious Flash content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment.
Adobe also warned that a separate flaw — CVE-2013-0633 — is being exploited in the wild in targeted
Krebs
Critical Flash Player Update Fixes 2 Zero-Days – Krebs on Security
blogs_krebs·2013-02-01·CVSS 9.3
CVE-2013-0634 [CRITICAL] Critical Flash Player Update Fixes 2 Zero-Days – Krebs on Security
Adobe today pushed out an emergency update that fixes at least two zero-day vulnerabilities in its ubiquitous Flash Player software — flaws that attackers are already exploiting to break into systems. Interestingly, Adobe warns that one of the exploits in use is designed to drop malware on both Windows and Mac OS X systems.
Adobe said in an advisory that one of the vulnerabilities — CVE-2013-0634 – is being exploited in the wild in attacks delivered via malicious Flash content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment.
Adobe also warned that a separate flaw — CVE-2013-0633 — is being exploited in the wild in targeted
Bugzilla
CVE-2013-0633 CVE-2013-0634 flash-plugin: multiple code execution flaws (APSB13-04)
bugzilla·2013-02-08·CVSS 9.3
CVE-2013-0633 [CRITICAL] CVE-2013-0633 CVE-2013-0634 flash-plugin: multiple code execution flaws (APSB13-04)
CVE-2013-0633 CVE-2013-0634 flash-plugin: multiple code execution flaws (APSB13-04)
Adobe security bulletin APSB13-04 describes two security flaws that could cause Adobe Flash Player to crash and potentially allow an attacker to take control of the affected system:
This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2013-0633).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2013-0634).
External References:
http://www.adobe.com/support/security/bulletins/apsb13-04.html
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Supplementary for Red Hat Enterprise Linux 5
Via RHSA-2013:0243 https://rhn.redhat.com/errata/RHSA-2013-0243.html
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00007.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0243.htmlhttp://www.adobe.com/support/security/bulletins/apsb13-04.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00007.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0243.htmlhttp://www.adobe.com/support/security/bulletins/apsb13-04.html
2013-02-08
Published
Exploited in the wild