CVE-2013-0648
published 2013-02-27CVE-2013-0648: Unspecified vulnerability in the ExternalInterface ActionScript functionality in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows…
PriorityP179high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-10-08
Exploited in the wild
EPSS
11.09%
95.4th percentile
Unspecified vulnerability in the ExternalInterface ActionScript functionality in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, allows remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | flash_player | < 10.3.183.67 | 10.3.183.67 |
| adobe | flash_player | >= 11.0 < 11.6.602.171 | 11.6.602.171 |
| adobe | flash_player | >= 11.0 < 11.2.202.273 | 11.2.202.273 |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_eus | — | — |
| redhat | enterprise_linux_eus | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_workstation | — | — |
| suse | linux_enterprise_desktop | — | — |
| suse | linux_enterprise_desktop | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2013-0648 exploits target Firefox browser users via crafted SWF content delivered through a redirect chain; monitor for Firefox processes loading Flash content from unexpected or newly-visited domains ↗
- →Attack vector is a user clicking a link that redirects to a site serving malicious SWF content; look for redirect chains terminating in .swf file downloads or Flash content loads in network logs ↗
- →Vulnerable Flash versions to flag in endpoint telemetry: 11.5.502.146 (Mac/Windows) and 11.2.202.261 (Linux) — presence of these versions indicates unpatched exposure to active in-the-wild exploitation ↗
- →Also flag Android Flash versions 11.1.115.36 (Android 4.x) and 11.1.111.31 (Android 3.x and 2.x) as vulnerable in mobile device management or endpoint inventory ↗
- →The vulnerability resides in the ExternalInterface ActionScript functionality; inspect SWF files for use of ExternalInterface calls as a triage indicator for malicious content ↗
- ·Exploitation was confirmed in the wild in February 2013; patched versions are 10.3.183.67 and 11.6.602.171 (Windows/Mac) and 11.2.202.273 (Linux) — detections should focus on versions below these thresholds ↗
- ·Adobe Flash Player is end-of-life; any detection rules or blocklists built around this CVE should account for the product no longer receiving updates, meaning all remaining Flash installations are permanently vulnerable ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5m8p-88m5-5qqp: Unspecified vulnerability in the ExternalInterface ActionScript functionality in Adobe Flash Player before 10
ghsa_unreviewed·2022-05-14
CVE-2013-0648 [HIGH] GHSA-5m8p-88m5-5qqp: Unspecified vulnerability in the ExternalInterface ActionScript functionality in Adobe Flash Player before 10
Unspecified vulnerability in the ExternalInterface ActionScript functionality in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, allows remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.
VulnCheck
Adobe Flash Player Code Execution Vulnerability
vulncheck·2013·CVSS 8.8
CVE-2013-0648 [HIGH] Adobe Flash Player Code Execution Vulnerability
Adobe Flash Player Code Execution Vulnerability
Adobe Flash Player contains an unspecified vulnerability in the ExternalInterface ActionScript functionality that allows a remote attacker to execute arbitrary code via crafted SWF content.
Affected: Adobe Flash Player
Required Action: The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product.
Exploitation References: https://cisa.gov/news-events/alerts/2013/02/27/security-updates-available-adobe-flash-player; https://www.cve.org/CVERecord?id=CVE-2013-0648; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2024-10-08
CISA
Adobe Flash Player Code Execution Vulnerability
cisa·2024-09-17·CVSS 8.8
CVE-2013-0648 [HIGH] Adobe Flash Player Code Execution Vulnerability
Vulnerability: Adobe Flash Player Code Execution Vulnerability
Affected: Adobe Flash Player
Adobe Flash Player contains an unspecified vulnerability in the ExternalInterface ActionScript functionality that allows a remote attacker to execute arbitrary code via crafted SWF content.
Required Action: The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product.
Notes: https://www.adobe.com/products/flashplayer/end-of-life-alternative.html#eol-alternative-faq ; https://nvd.nist.gov/vuln/detail/CVE-2013-0648
Remediation Due Date: 2024-10-08
Red Hat
flash-plugin: multiple code execution flaws (APSB13-08)
vendor_redhat·2013-02-26·CVSS 8.8
CVE-2013-0648 [HIGH] flash-plugin: multiple code execution flaws (APSB13-08)
flash-plugin: multiple code execution flaws (APSB13-08)
Unspecified vulnerability in the ExternalInterface ActionScript functionality in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, allows remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.
No detection rules found.
No public exploits indexed.
Krebs
Flash Player Update Fixes Zero-Day Flaws
blogs_krebs·2013-02-27·CVSS 8.8
CVE-2013-0643 [HIGH] Flash Player Update Fixes Zero-Day Flaws
Adobe has released an emergency update for its Flash Player software that fixes three critical vulnerabilities, two of which the company warns are actively being exploited to compromise systems.
In an advisory, Adobe said two of the bugs quashed in this update (CVE-2013-0643 and CVE-2013-0648) are being used by attackers to target Firefox users. The company noted that the attacks are designed to trick users into clicking a link which redirects to a Web site serving malicious Flash content.
Readers can be forgiven for feeling patch fatigue with Flash: This is the third security update that Adobe has shipped for Flash in the last month. On Feb. 12, Adobe released a patch to plug at least 17 security holes in Flash. On Feb. 7, Adobe rushed out an update to fix two other flaws that attackers
Krebs
Flash Player Update Fixes Zero-Day Flaws – Krebs on Security
blogs_krebs·2013-02-01·CVSS 8.8
CVE-2013-0643 [HIGH] Flash Player Update Fixes Zero-Day Flaws – Krebs on Security
Adobe has released an emergency update for its Flash Player software that fixes three critical vulnerabilities, two of which the company warns are actively being exploited to compromise systems.
In an advisory , Adobe said two of the bugs quashed in this update ( CVE-2013-0643 and CVE-2013-0648 ) are being used by attackers to target Firefox users. The company noted that the attacks are designed to trick users into clicking a link which redirects to a Web site serving malicious Flash content.
Readers can be forgiven for feeling patch fatigue with Flash: This is the third security update that Adobe has shipped for Flash in the last month . On Feb. 12, Adobe released a patch to plug at least 17 security holes in Flash. On Feb. 7, Adobe rushed out an update to fix two other flaws that attac
Bugzilla
CVE-2013-0504 CVE-2013-0648 flash-plugin: multiple code execution flaws (APSB13-08)
bugzilla·2013-02-26·CVSS 10.0
CVE-2013-0504 [CRITICAL] CVE-2013-0504 CVE-2013-0648 flash-plugin: multiple code execution flaws (APSB13-08)
CVE-2013-0504 CVE-2013-0648 flash-plugin: multiple code execution flaws (APSB13-08)
Adobe security bulletin APSB13-08 describes multiple security flaws that could cause Adobe Flash Player to crash and potentially allow an attacker to take control of the affected system:
This update resolves a vulnerability in the ExternalInterface ActionScript feature, which can be exploited to execute malicious code (CVE-2013-0648).
This update resolves a buffer overflow vulnerability in a Flash Player broker service, which can be used to execute malicious code (CVE-2013-0504).
External References:
http://www.adobe.com/support/security/bulletins/apsb13-08.html
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Ent
Bugzilla
Blocklist/Click-to-Play Adobe Flash Player 11.5.502.146 (Mac, Windows), 11.2.202.261 (Linux)
bugzilla·2013-02-08·CVSS 8.8
[HIGH] Blocklist/Click-to-Play Adobe Flash Player 11.5.502.146 (Mac, Windows), 11.2.202.261 (Linux)
Blocklist/Click-to-Play Adobe Flash Player 11.5.502.146 (Mac, Windows), 11.2.202.261 (Linux)
There is a new Adobe Flash update out there, so I suppose we might want to blocklist the old version.
According to the bug report some interesting reporters appear, which alludes that this vulnerability has already been exploited in the wild for high-profile attacks (see news article linked in URL field).
Request:
Block these versions of Adobe Flash Player:
11.5.502.146 (Mac, Windows)
11.2.202.261 (Linux)
and in case we have this feature in fennec, please include:
11.1.115.36 (Android 4.x)
11.1.111.31 (Android 3.x and 2.x.)
Discussion:
If anything, we'd need to also block all older versions than those, as those are also vulnerable. That said, I think we are not yet ready for wide-ranged block
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00025.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00026.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00035.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0574.htmlhttp://www.adobe.com/support/security/bulletins/apsb13-08.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00025.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00026.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00035.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0574.htmlhttp://www.adobe.com/support/security/bulletins/apsb13-08.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0648
2013-02-27
Published
2024-09-17
Added to CISA KEV
Exploited in the wild