cbcvebase.
CVE-2014-0497
published 2014-02-05

CVE-2014-0497: Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-10-08
Exploited in the wild
EPSS
99.88%
100.0th percentile
Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors.

Affected

16 ranges
VendorProductVersion rangeFixed in
adobeflash_player< 11.2.202.33611.2.202.336
adobeflash_player< 11.7.700.26111.7.700.261
adobeflash_player>= 11.8.800.94 < 12.0.0.4412.0.0.44
googlechrome< 32.0.1700.10732.0.1700.107
opensuseopensuse
opensuseopensuse
opensuseopensuse
redhatenterprise_linux_desktop
redhatenterprise_linux_desktop
redhatenterprise_linux_eus
redhatenterprise_linux_server
redhatenterprise_linux_server
redhatenterprise_linux_server_aus
redhatenterprise_linux_workstation
redhatenterprise_linux_workstation
suselinux_enterprise_desktop

Detection & IOCsextracted from sources · hover to see the quote

filenameVickers.swf
pathdata/exploits/CVE-2014-0497/Vickers.swf
other{D27CDB6E-AE6D-11cf-96B8-444553540000}
  • The exploit delivers a specially crafted SWF file via HTTP with Content-Type 'application/x-shockwave-flash' and 'Pragma: no-cache' headers; detect HTTP responses serving SWF payloads with these headers to IE clients using the Flash ActiveX CLSID {D27CDB6E-AE6D-11cf-96B8-444553540000}.
  • The exploit targets the ActiveX component of Adobe Flash Player (CLSID D27CDB6E-AE6D-11cf-96B8-444553540000) using the 'LoadMovie' method; monitor for invocation of this method from browser processes.
  • The exploit targets only Internet Explorer on Windows with Flash versions matching /^11\./; scope detection to IE user-agent strings loading SWF content from exploit-served pages.
  • Post-exploitation, the Metasploit module auto-runs 'migrate -f' to migrate the injected process; detect unexpected process migration or spawning from Flash Player (e.g., FlashPlayerPlugin.exe spawning child processes).
  • The exploit was observed in the wild in February 2014 targeting Adobe Flash Player versions before 12.0.0.44 on Windows/Mac and before 11.2.202.336 on Linux; flag any Flash Player process running versions in the targeted range listed in the module comments.
  • The exploit HTML template embeds the SWF via an <object> tag with a randomly named .swf URI; detect browser requests for short random-alpha-named .swf files (4–6 character random alpha filenames) from exploit landing pages.
  • ·The Metasploit module targets Flash ActiveX (Internet Explorer on Windows only); the in-the-wild exploit may have targeted additional browsers or platforms not covered by this module.
  • ·The module targets Flash versions matching /^11\./ but the CVE affects versions before 12.0.0.44 (Windows/Mac) and before 11.2.202.336 (Linux); ensure detection coverage includes Flash 12.0.x < 12.0.0.44.
  • ·Adobe's advisory provided no technical details about the in-the-wild attack vector beyond crediting Kaspersky Lab researchers; the full attack chain may differ from the public Metasploit module.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.