CVE-2014-0497
published 2014-02-05CVE-2014-0497: Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-10-08
Exploited in the wild
EPSS
99.88%
100.0th percentile
Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | flash_player | < 11.2.202.336 | 11.2.202.336 |
| adobe | flash_player | < 11.7.700.261 | 11.7.700.261 |
| adobe | flash_player | >= 11.8.800.94 < 12.0.0.44 | 12.0.0.44 |
| chrome | < 32.0.1700.107 | 32.0.1700.107 | |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_eus | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_workstation | — | — |
| redhat | enterprise_linux_workstation | — | — |
| suse | linux_enterprise_desktop | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit delivers a specially crafted SWF file via HTTP with Content-Type 'application/x-shockwave-flash' and 'Pragma: no-cache' headers; detect HTTP responses serving SWF payloads with these headers to IE clients using the Flash ActiveX CLSID {D27CDB6E-AE6D-11cf-96B8-444553540000}. ↗
- →The exploit targets the ActiveX component of Adobe Flash Player (CLSID D27CDB6E-AE6D-11cf-96B8-444553540000) using the 'LoadMovie' method; monitor for invocation of this method from browser processes. ↗
- →The exploit targets only Internet Explorer on Windows with Flash versions matching /^11\./; scope detection to IE user-agent strings loading SWF content from exploit-served pages. ↗
- →Post-exploitation, the Metasploit module auto-runs 'migrate -f' to migrate the injected process; detect unexpected process migration or spawning from Flash Player (e.g., FlashPlayerPlugin.exe spawning child processes). ↗
- →The exploit was observed in the wild in February 2014 targeting Adobe Flash Player versions before 12.0.0.44 on Windows/Mac and before 11.2.202.336 on Linux; flag any Flash Player process running versions in the targeted range listed in the module comments. ↗
- →The exploit HTML template embeds the SWF via an <object> tag with a randomly named .swf URI; detect browser requests for short random-alpha-named .swf files (4–6 character random alpha filenames) from exploit landing pages. ↗
- ·The Metasploit module targets Flash ActiveX (Internet Explorer on Windows only); the in-the-wild exploit may have targeted additional browsers or platforms not covered by this module. ↗
- ·The module targets Flash versions matching /^11\./ but the CVE affects versions before 12.0.0.44 (Windows/Mac) and before 11.2.202.336 (Linux); ensure detection coverage includes Flash 12.0.x < 12.0.0.44. ↗
- ·Adobe's advisory provided no technical details about the in-the-wild attack vector beyond crediting Kaspersky Lab researchers; the full attack chain may differ from the public Metasploit module. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qx9j-q623-p5fh: Integer underflow in Adobe Flash Player before 11
ghsa_unreviewed·2022-05-14
CVE-2014-0497 [HIGH] CWE-191 GHSA-qx9j-q623-p5fh: Integer underflow in Adobe Flash Player before 11
Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors.
VulnCheck
Adobe Flash Player Integer Underflow Vulnerablity
vulncheck·2014·CVSS 9.8
CVE-2014-0497 [CRITICAL] CWE-191 Adobe Flash Player Integer Underflow Vulnerablity
Adobe Flash Player Integer Underflow Vulnerablity
Adobe Flash Player contains an integer underflow vulnerability that allows a remote attacker to execute arbitrary code.
Affected: Adobe Flash Player
Required Action: The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product.
Exploitation References: https://resources.infosecinstitute.com/topic/the-hacking-team-hack-when-hackers-have-become-the-target/; https://securelist.com/darkhotels-attacks-in-2015/71713/; https://www.scribd.com/document/516749423/inzimam-2019-ijca-919742; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2024-10-08
CISA
Adobe Flash Player Integer Underflow Vulnerablity
cisa·2024-09-17·CVSS 9.8
CVE-2014-0497 [CRITICAL] CWE-191 Adobe Flash Player Integer Underflow Vulnerablity
Vulnerability: Adobe Flash Player Integer Underflow Vulnerablity
Affected: Adobe Flash Player
Adobe Flash Player contains an integer underflow vulnerability that allows a remote attacker to execute arbitrary code.
Required Action: The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product.
Notes: https://www.adobe.com/products/flashplayer/end-of-life-alternative.html#eol-alternative-faq ; https://nvd.nist.gov/vuln/detail/CVE-2014-0497
Remediation Due Date: 2024-10-08
Red Hat
flash-plugin: integer underflow flaw leads to arbitrary code execution (APSB14-04)
vendor_redhat·2014-02-04·CVSS 9.8
CVE-2014-0497 [CRITICAL] CWE-190 flash-plugin: integer underflow flaw leads to arbitrary code execution (APSB14-04)
flash-plugin: integer underflow flaw leads to arbitrary code execution (APSB14-04)
Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors.
No detection rules found.
Exploit-DB
Adobe Flash Player - Integer Underflow Remote Code Execution (Metasploit)
exploitdb·2014-05-06
CVE-2014-0497 Adobe Flash Player - Integer Underflow Remote Code Execution (Metasploit)
Adobe Flash Player - Integer Underflow Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "Adobe Flash Player Integer Underflow Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player
before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an
integer underflow in several avm2 instructions, which can be turned into remote code
execution under the context of the user, as exploited in the wild in February 2014. This
module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP
SP3, Windows 7 SP1 and
Metasploit
Adobe Flash Player Integer Underflow Remote Code Execution
metasploit
Adobe Flash Player Integer Underflow Remote Code Execution
Adobe Flash Player Integer Underflow Remote Code Execution
This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an integer underflow in several avm2 instructions, which can be turned into remote code execution under the context of the user, as exploited in the wild in February 2014. This module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP SP3, Windows 7 SP1 and Adobe Flash Player 11.3.372.94 on Windows 8 even when it includes rop chains for several Flash 11 versions, as exploited in the wild.
Securelist
How Security Products are Tested – Part 1
blogs_securelist·2017-02-27
How Security Products are Tested – Part 1
Table of Contents
- Basic testing methodologies
- Specialized tests
- Types of tests
- Market players
- How to win tests
Authors
- Vyacheslav Zakorzhevsky
## Methodologies and the main players
The demand for tests appeared almost simultaneously with the development of the first antivirus programs – in the mid-to-late 1990s. Demand created supply: test labs at computer magazines started to measure the effectiveness of security solutions with the help of self-made methodologies, and later an industry of specialized companies emerged with a more comprehensive approach to testing methods.
The first primitive tests scanning huge collections of malicious and supposedly malicious files taken from everywhere were rightfully criticized first and foremost by the vendors. Such tests were chara
Krebs
Adobe Pushes Fix for Flash Zero-Day Attack
blogs_krebs·2014-02-04·CVSS 9.8
CVE-2014-0497 [CRITICAL] Adobe Pushes Fix for Flash Zero-Day Attack
Adobe Systems Inc. is urging users of its Flash Player software to upgrade to a newer version released today. The company warns that an exploit targeting a previously unknown and critical Flash security vulnerability exists in the wild, and that this flaw allows attackers to take complete control over affected systems.
The latest versions that include the fix for this flaw (CVE-2014-0497) are listed by operating system in the chart below.
The Flash update brings the media player to version 12.0.0.44 for a majority of users on Windows and Mac OS X. This link will tell you which version of Flash your browser has installed. IE10/IE11 and Chrome should auto-update their versions of Flash to v. 12.0.0.44. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated,
Krebs
Adobe Pushes Fix for Flash Zero-Day Attack – Krebs on Security
blogs_krebs·2014-02-01·CVSS 9.8
CVE-2014-0497 [CRITICAL] Adobe Pushes Fix for Flash Zero-Day Attack – Krebs on Security
Adobe Systems Inc. is urging users of its Flash Player software to upgrade to a newer version released today. The company warns that an exploit targeting a previously unknown and critical Flash security vulnerability exists in the wild, and that this flaw allows attackers to take complete control over affected systems.
The latest versions that include the fix for this flaw (CVE-2014-0497) are listed by operating system in the chart below.
The Flash update brings the media player to version 12.0.0.44 for a majority of users on Windows and Mac OS X . This link will tell you which version of Flash your browser has installed. IE10/IE11 and Chrome should auto-update their versions of Flash to v. 12.0.0.44 . If your version of Flash on Chrome (on either Windows, Mac or Linux ) is not yet updat
Zscaler
Zscaler found Multiple Security Vulnerabilities | 02-11-2014
blogs_zscaler
Zscaler found Multiple Security Vulnerabilities | 02-11-2014
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
# Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
###### Click image for
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
## Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit , was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest , the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
## Click image for
Bugzilla
CVE-2014-0497 flash-plugin: integer underflow flaw leads to arbitrary code execution (APSB14-04)
bugzilla·2014-02-04·CVSS 9.8
CVE-2014-0497 [CRITICAL] CVE-2014-0497 flash-plugin: integer underflow flaw leads to arbitrary code execution (APSB14-04)
CVE-2014-0497 flash-plugin: integer underflow flaw leads to arbitrary code execution (APSB14-04)
Adobe has released Flash Player 11.2.202.336 for Linux to correct the following flaw:
* These updates resolve an integer underflow vulnerability that could be exploited to execute arbitrary code on the affected system (CVE-2014-0497).
External References:
http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2014:0137 https://rhn.redhat.com/errata/RHSA-2014-0137.html
http://googlechromereleases.blogspot.com/2014/02/stable-channel-update.htmlhttp://helpx.adobe.com/security/products/flash-player/apsb14-04.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-02/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-02/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-02/msg00006.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0137.htmlhttp://secunia.com/advisories/56437http://secunia.com/advisories/56737http://secunia.com/advisories/56780http://secunia.com/advisories/56799http://secunia.com/advisories/56839http://www.exploit-db.com/exploits/33212http://www.osvdb.org/102849http://www.securityfocus.com/bid/65327http://www.securitytracker.com/id/1029715https://exchange.xforce.ibmcloud.com/vulnerabilities/90884http://googlechromereleases.blogspot.com/2014/02/stable-channel-update.htmlhttp://helpx.adobe.com/security/products/flash-player/apsb14-04.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-02/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-02/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-02/msg00006.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0137.htmlhttp://secunia.com/advisories/56437http://secunia.com/advisories/56737http://secunia.com/advisories/56780http://secunia.com/advisories/56799http://secunia.com/advisories/56839http://www.exploit-db.com/exploits/33212http://www.osvdb.org/102849http://www.securityfocus.com/bid/65327http://www.securitytracker.com/id/1029715https://exchange.xforce.ibmcloud.com/vulnerabilities/90884https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0497
2014-02-05
Published
2024-09-17
Added to CISA KEV
Exploited in the wild