CVE-2014-0515
published 2014-04-29CVE-2014-0515: Buffer overflow in Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux…
PriorityP185critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
94.57%
99.8th percentile
Buffer overflow in Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in April 2014.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | flash_player | >= 11.0 < 11.2.202.346 | 11.2.202.346 |
| adobe | flash_player | >= 11.0 < 11.7.700.279 | 11.7.700.279 |
| adobe | flash_player | >= 11.8 < 13.0.0.206 | 13.0.0.206 |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
SID 30876
snort↗
SID 30877
snort↗
SIDs 31229-31232
- →CVE-2014-0515 exploits were delivered via SWF files with short/simple names (e.g., n3.swf, nu.swf, 1.swf, 2.swf) under the /modules/ URI path in the Bleeding Life exploit kit; monitor HTTP requests matching this pattern. ↗
- →Bleeding Life landing page URI pattern uses /load_module.php?user= with values n1, 1, 2, or 11; regex user=(n1|11?|2) can be used for detection. ↗
- →The CVE-2014-0515 Flash exploit (n3.swf hash) was shared between the Bleeding Life and Nuclear exploit kits; detections for one kit may apply to the other. ↗
- →Nuclear exploit kit delivered CVE-2014-0515 alongside CVE-2012-0507 (JAR) and Exploit.PDF-JS (PDF); correlate multi-stage downloads of SWF+JAR+PDF from the same host as a strong indicator of Nuclear EK activity. ↗
- →Win32/Zemot was the payload dropped after successful CVE-2014-0515 exploitation in the Nuclear EK campaign; hunt for the associated EXE hash on endpoints. ↗
- ·The Bleeding Life exploit kit hosting domains listed were observed over a 30-day window at time of reporting; they may no longer be active or may have rotated. ↗
- ·The CVE-2014-0515 exploits targeted Windows Flash Player users specifically; Linux and Mac users were also affected per the advisory but active in-the-wild exploitation was Windows-focused. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
flash-plugin: buffer overflow vulnerability leads to arbitrary code execution (APSB14-13)
vendor_redhat·2014-04-28·CVSS 10.0
CVE-2014-0515 [CRITICAL] flash-plugin: buffer overflow vulnerability leads to arbitrary code execution (APSB14-13)
flash-plugin: buffer overflow vulnerability leads to arbitrary code execution (APSB14-13)
Buffer overflow in Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in April 2014.
VulDB
Adobe Flash Player up to 13.0.0.201 Pixel Bender memory corruption (APSB14-13 / EDB-33333)
vuldb·2026-05-12·CVSS 10.0
CVE-2014-0515 [CRITICAL] Adobe Flash Player up to 13.0.0.201 Pixel Bender memory corruption (APSB14-13 / EDB-33333)
A vulnerability categorized as very critical has been discovered in Adobe Flash Player up to 13.0.0.201. Impacted is an unknown function of the component Pixel Bender. Executing a manipulation can lead to memory corruption.
The identification of this vulnerability is CVE-2014-0515. The attack may be launched remotely. Furthermore, there is an exploit available. This vulnerability is historically impactful due to its background and the reception it garnered.
A worm is spreading and is exploiting this vulnerability automatically.
It is advisable to upgrade the affected component.
GHSA
GHSA-77rc-jc7q-8wrw: Buffer overflow in Adobe Flash Player before 11
ghsa_unreviewed·2022-05-14
CVE-2014-0515 [HIGH] CWE-119 GHSA-77rc-jc7q-8wrw: Buffer overflow in Adobe Flash Player before 11
Buffer overflow in Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in April 2014.
VulnCheck
Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2014·CVSS 10.0
CVE-2014-0515 [CRITICAL] Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in April 2014.
Affected: Adobe Flash Player
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2014-0515; https://unit42.paloaltonetworks.com/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/; https://www.fireeye.com/b
Suricata
ET HUNTING SUSPICIOUS Crystalize Filter in Uncompressed Flash
suricata·2014-04-28
ET HUNTING SUSPICIOUS Crystalize Filter in Uncompressed Flash
ET HUNTING SUSPICIOUS Crystalize Filter in Uncompressed Flash
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Crystalize Filter in Uncompressed Flash"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file.data; content:"Crystallize -filter"; content:"|41 41 41 41|"; distance:0; reference:url,www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks; classtype:trojan-activity; sid:2018428; rev:3; metadata:created_at 2014_04_28, confidence Medium, signature_severity Major, updated_at 2024_03_13;)
Exploit-DB
Adobe Flash Player - Shader Buffer Overflow (Metasploit)
exploitdb·2014-05-12
CVE-2014-0515 Adobe Flash Player - Shader Buffer Overflow (Metasploit)
Adobe Flash Player - Shader Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "Adobe Flash Player Shader Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
vulnerability occurs in the flash.Display.Shader class, when setting specially
crafted data as its bytecode, as exploited in the wild in April 2014. This module
has been tested successfully on IE 6 to IE 10 with Flash 11 and Flash 12 over
Windows XP SP3, Windows 7 SP1 and Windows 8.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery and exploit in the wild
'juan vazquez' # msf module
Metasploit
Adobe Flash Player Shader Buffer Overflow
metasploit
Adobe Flash Player Shader Buffer Overflow
Adobe Flash Player Shader Buffer Overflow
This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on the following operating systems and Flash versions: Windows 7 SP1, IE 8 to IE 11 with Flash 13.0.0.182, Windows 7 SP1, Firefox 38.0.5, Flash 11.7.700.275 and Adobe Flash 13.0.0.182, Windows 8.1, Firefox 38.0.5 and Adobe Flash 13.0.0.182, Linux Mint "Rebecca" (32 bit), Firefox 33.0 and Adobe Flash 11.2.202.350
Securelist
How Security Products are Tested – Part 1
blogs_securelist·2017-02-27
How Security Products are Tested – Part 1
Table of Contents
- Basic testing methodologies
- Specialized tests
- Types of tests
- Market players
- How to win tests
Authors
- Vyacheslav Zakorzhevsky
## Methodologies and the main players
The demand for tests appeared almost simultaneously with the development of the first antivirus programs – in the mid-to-late 1990s. Demand created supply: test labs at computer magazines started to measure the effectiveness of security solutions with the help of self-made methodologies, and later an industry of specialized companies emerged with a more comprehensive approach to testing methods.
The first primitive tests scanning huge collections of malicious and supposedly malicious files taken from everywhere were rightfully criticized first and foremost by the vendors. Such tests were chara
Zscaler
Bad Actors On GMHOST Alexander Mulgin Serginovic | Zscaler
blogs_zscaler·2016-01-12·CVSS 9.8
[CRITICAL] Bad Actors On GMHOST Alexander Mulgin Serginovic | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Talos
Evolution of the Nuclear Exploit Kit
blogs_talos·2014-10-09
Evolution of the Nuclear Exploit Kit
## Evolution of the Nuclear Exploit Kit
This post is co-authored by Alex Chiu , Martin Lee , Emmanuel Tacheau , and Angel Villegas .
Exploit kits remain an efficient mechanism for cyber criminals to distribute malware. Such kits include exploits for multiple vulnerabilities within a single malicious webpage. Criminals can check operating systems, web browsers and browser plugins for anything that is not fully patched and launch an exploit specific to the out of date software. Using this technique criminals can maximise their chances of infecting visitors but reduce their exposure to only infect those who are vulnerable; presumably in order to remain inconspicuous.
We have previously written about the Rig , Angler and Styx exploit kits and and how they are a serious threat if machines wi
Talos
Evolution of the Nuclear Exploit Kit
blogs_talos·2014-10-09
Evolution of the Nuclear Exploit Kit
This post is co-authored by Alex Chiu, Martin Lee, Emmanuel Tacheau, and Angel Villegas.
Exploit kits remain an efficient mechanism for cyber criminals to distribute malware. Such kits include exploits for multiple vulnerabilities within a single malicious webpage. Criminals can check operating systems, web browsers and browser plugins for anything that is not fully patched and launch an exploit specific to the out of date software. Using this technique criminals can maximise their chances of infecting visitors but reduce their exposure to only infect those who are vulnerable; presumably in order to remain inconspicuous.
We have previously written about the Rig, Angler and Styx exploit kits and and how they are a serious threat if machines with vulnerable third-party software are left un
Zscaler
Nuclear Exploit Kit And Flash CVE-2014-0515 | Zscaler
blogs_zscaler·2014-09-05·CVSS 9.8
[CRITICAL] Nuclear Exploit Kit And Flash CVE-2014-0515 | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Talos
The never ending Exploit Kit shift - Bleeding Life
blogs_talos·2014-06-12·CVSS 9.8
[CRITICAL] The never ending Exploit Kit shift - Bleeding Life
## The never ending Exploit Kit shift - Bleeding Life
Recently we've been able to observe several shifts in exploit kit techniques, so I thought it would be good to share the IOC information for the exploit kits so that administrators and network defenders can take a look at their devices and logs to remediate on their networks.
## Bleeding Life
Bleeding life, traditionally, was not one of the more subtle exploit kits.
In the past, the exploit kit would attempt to get the exploits through fairly obvious URI methods. For example:
"/load_module.php?e=Adobe-2010-2884"
"/load_module.php?e=Java-2010-3552"
"/modules/helpers/Java-2010-0842.jar"
The URI would be explicit about which vulnerability the kit was going to download and run on the client. However, as of the beginning of of May, s
Talos
The never ending Exploit Kit shift - Bleeding Life
blogs_talos·2014-06-12·CVSS 9.8
[CRITICAL] The never ending Exploit Kit shift - Bleeding Life
Recently we've been able to observe several shifts in exploit kit techniques, so I thought it would be good to share the IOC information for the exploit kits so that administrators and network defenders can take a look at their devices and logs to remediate on their networks.
## Bleeding Life
Bleeding life, traditionally, was not one of the more subtle exploit kits.
In the past, the exploit kit would attempt to get the exploits through fairly obvious URI methods. For example:
"/load_module.php?e=Adobe-2010-2884"
"/load_module.php?e=Java-2010-3552"
"/modules/helpers/Java-2010-0842.jar"
The URI would be explicit about which vulnerability the kit was going to download and run on the client. However, as of the beginning of of May, subtlety increased slightly, as we've seen a shift in th
Krebs
Adobe Update Nixes Flash Player Zero Day
blogs_krebs·2014-05-28·CVSS 10.0
[CRITICAL] Adobe Update Nixes Flash Player Zero Day
Adobe Systems Inc. has shipped an emergency security update to fix a critical flaw in its Flash Player software that is currently being exploited in active attacks. The exploits so far appear to target Microsoft Windows users, but updates also are available for Mac and Linux versions of Flash.
The Flash update brings the media player to v. 13.0.0.206 on Windows and Mac systems, and v. 11.2.202.356 for Linux users. To see which version of Flash you have installed, check this link.
IE10/IE11 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser.
The most recent versions of Flash are available from the Adobe download center, but beware potentially unw
Talos
Internet Explorer & Adobe Flash 0-Day Coverage
blogs_talos·2014-04-29·CVSS 10.0
CVE-2014-1776 [CRITICAL] Internet Explorer & Adobe Flash 0-Day Coverage
Recently several "0day" releases have come out in the security world, and the VRT has released coverage for two critical vulnerabilities, so we wanted to notify you of this coverage so you can use the SIDs to protect your environment.
Microsoft Internet Explorer 0day CVE-2014-1776.
SIDs 30794 & 30803
https://technet.microsoft.com/en-US/library/security/2963983
Adobe Flash 0day CVE-2014-0515
SIDs 30876 & 30877
http://helpx.adobe.com/security/products/flash-player/apsb14-13.html
Coverage for both of these vulnerabilities were released yesterday, April 28, 2014. The latest rule pack will provide the updates for both of these vulnerabilities.
http://blog.snort.org/2014/04/sourcefire-vrt-certified-snort-rules_7339.html
http://blog.snort.org/2014/04/sourcefire-vrt-certified-snort-rules_28.ht
Talos
Internet Explorer & Adobe Flash 0-Day Coverage
blogs_talos·2014-04-29·CVSS 10.0
CVE-2014-1776 [CRITICAL] Internet Explorer & Adobe Flash 0-Day Coverage
## Internet Explorer & Adobe Flash 0-Day Coverage
Recently several "0day" releases have come out in the security world, and the VRT has released coverage for two critical vulnerabilities, so we wanted to notify you of this coverage so you can use the SIDs to protect your environment.
Microsoft Internet Explorer 0day CVE-2014-1776. SIDs 30794 & 30803 https://technet.microsoft.com/en-US/library/security/2963983
Adobe Flash 0day CVE-2014-0515 SIDs 30876 & 30877 http://helpx.adobe.com/security/products/flash-player/apsb14-13.html
Coverage for both of these vulnerabilities were released yesterday, April 28, 2014. The latest rule pack will provide the updates for both of these vulnerabilities.
http://blog.snort.org/2014/04/sourcefire-vrt-certified-snort-rules_7339.html http://blog.snort.org
Krebs
Adobe Update Nixes Flash Player Zero Day – Krebs on Security
blogs_krebs·2014-04-01·CVSS 10.0
[CRITICAL] Adobe Update Nixes Flash Player Zero Day – Krebs on Security
Adobe Systems Inc. has shipped an emergency security update to fix a critical flaw in its Flash Player software that is currently being exploited in active attacks. The exploits so far appear to target Microsoft Windows users, but updates also are available for Mac and Linux versions of Flash.
The Flash update brings the media player to v. 13.0.0.206 on Windows and Mac systems, and v. 11.2.202.356 for Linux users. To see which version of Flash you have installed, check this link .
IE10/IE11 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser.
The most recent versions of Flash are available from the Adobe download center , but beware potentially u
Zscaler
Zscaler discovers Flash Player Vulnerabilities | 04-28-2014
blogs_zscaler·CVSS 10.0
[CRITICAL] Zscaler discovers Flash Player Vulnerabilities | 04-28-2014
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
# Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
###### Click image for
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
## Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit , was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest , the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
## Click image for
Bugzilla
CVE-2014-0515 flash-plugin: buffer overflow vulnerability leads to arbitrary code execution (APSB14-13)
bugzilla·2014-04-28·CVSS 10.0
CVE-2014-0515 [CRITICAL] CVE-2014-0515 flash-plugin: buffer overflow vulnerability leads to arbitrary code execution (APSB14-13)
CVE-2014-0515 flash-plugin: buffer overflow vulnerability leads to arbitrary code execution (APSB14-13)
Adobe has released Flash Player 11.2.202.356 for Linux to correct the following flaw:
* These updates resolve a buffer overflow vulnerability that could result in arbitrary code execution (CVE-2014-0515).
External References:
http://helpx.adobe.com/security/products/flash-player/apsb14-13.html
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2014:0447 https://rhn.redhat.com/errata/RHSA-2014-0447.html
http://helpx.adobe.com/security/products/flash-player/apsb14-13.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-04/msg00017.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-05/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-05/msg00001.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0447.htmlhttp://security.gentoo.org/glsa/glsa-201405-04.xmlhttp://www.securityfocus.com/bid/67092http://www.securitytracker.com/id/1030155http://helpx.adobe.com/security/products/flash-player/apsb14-13.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-04/msg00017.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-05/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-05/msg00001.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0447.htmlhttp://security.gentoo.org/glsa/glsa-201405-04.xmlhttp://www.securityfocus.com/bid/67092http://www.securitytracker.com/id/1030155
2014-04-29
Published
Exploited in the wild