CVE-2014-9163
published 2014-12-10CVE-2014-9163: Stack-based buffer overflow in Adobe Flash Player before 13.0.0.259 and 14.x and 15.x before 15.0.0.246 on Windows and OS X and before 11.2.202.425 on Linux…
PriorityP180high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-04
Exploited in the wild
EPSS
20.36%
97.2th percentile
Stack-based buffer overflow in Adobe Flash Player before 13.0.0.259 and 14.x and 15.x before 15.0.0.246 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in December 2014.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | flash_player | >= 11.0 < 11.2.202.425 | 11.2.202.425 |
| adobe | flash_player | >= 13.0 < 13.0.0.259 | 13.0.0.259 |
| adobe | flash_player | 14.0 – 14.0.0.179 | — |
| adobe | flash_player | >= 15.0 < 15.0.0.246 | 15.0.0.246 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2014-9163 was actively exploited in the wild in December 2014; any Adobe Flash Player process running versions before 13.0.0.259, before 15.0.0.246 (14.x/15.x on Windows/OS X), or before 11.2.202.425 (Linux) should be flagged as vulnerable and potentially exploited. ↗
- →Adobe confirmed an in-the-wild exploit for CVE-2014-9163 existed at the time of the December 2014 patch release; prioritize detection of unpatched Flash Player instances (below v16.0.0.235 on Windows/Mac) in network telemetry from that period. ↗
- →The vulnerability class is a stack-based buffer overflow in Flash Player; monitor for crash telemetry or abnormal stack activity originating from flash-plugin or Flash Player processes, particularly on Linux systems running versions prior to 11.2.202.425. ↗
- ·Adobe Flash Player is end-of-life; if still present in any environment it should be treated as an unacceptable risk and disconnected rather than patched. ↗
- ·The exploit vector is described only as 'unspecified vectors' in all authoritative sources; no specific file, URL, or network indicator was publicly disclosed, limiting precise IOC-based detection. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5ppv-vhvv-pxhh: Stack-based buffer overflow in Adobe Flash Player before 13
ghsa_unreviewed·2022-05-14
CVE-2014-9163 [HIGH] CWE-121 GHSA-5ppv-vhvv-pxhh: Stack-based buffer overflow in Adobe Flash Player before 13
Stack-based buffer overflow in Adobe Flash Player before 13.0.0.259 and 14.x and 15.x before 15.0.0.246 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in December 2014.
OSV
CVE-2014-9163: Stack-based buffer overflow in Adobe Flash Player before 13
osv·2014-12-10·CVSS 7.8
CVE-2014-9163 [HIGH] CVE-2014-9163: Stack-based buffer overflow in Adobe Flash Player before 13
Stack-based buffer overflow in Adobe Flash Player before 13.0.0.259 and 14.x and 15.x before 15.0.0.246 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in December 2014.
VulnCheck
Adobe Flash Player Stack-Based Buffer Overflow Vulnerability
vulncheck·2014·CVSS 7.8
CVE-2014-9163 [HIGH] Adobe Flash Player Stack-Based Buffer Overflow Vulnerability
Adobe Flash Player Stack-Based Buffer Overflow Vulnerability
Stack-based buffer overflow in Adobe Flash Player allows attackers to execute code remotely.
Affected: Adobe Flash Player
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cve.org/CVERecord?id=CVE-2014-9163; https://web.archive.org/web/20150213004519/http://www.isightpartners.com/2015/02/codoso/; https://www.scribd.com/document/516749423/inzimam-2019-ijca-919742; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-04
CISA
Adobe Flash Player Stack-Based Buffer Overflow Vulnerability
cisa·2022-04-13·CVSS 7.8
CVE-2014-9163 [HIGH] Adobe Flash Player Stack-Based Buffer Overflow Vulnerability
Vulnerability: Adobe Flash Player Stack-Based Buffer Overflow Vulnerability
Affected: Adobe Flash Player
Stack-based buffer overflow in Adobe Flash Player allows attackers to execute code remotely.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2014-9163
Remediation Due Date: 2022-05-04
Red Hat
flash-plugin: Multiple code-execution flaws (APSB14-27)
vendor_redhat·2014-12-09·CVSS 7.8
CVE-2014-9163 [HIGH] flash-plugin: Multiple code-execution flaws (APSB14-27)
flash-plugin: Multiple code-execution flaws (APSB14-27)
Stack-based buffer overflow in Adobe Flash Player before 13.0.0.259 and 14.x and 15.x before 15.0.0.246 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in December 2014.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-0587 CVE-2014-9164 CVE-2014-8443 CVE-2014-9163 flash-plugin: Multiple code-execution flaws (APSB14-27)
bugzilla·2014-12-10·CVSS 10.0
CVE-2014-0587 [CRITICAL] CVE-2014-0587 CVE-2014-9164 CVE-2014-8443 CVE-2014-9163 flash-plugin: Multiple code-execution flaws (APSB14-27)
CVE-2014-0587 CVE-2014-9164 CVE-2014-8443 CVE-2014-9163 flash-plugin: Multiple code-execution flaws (APSB14-27)
Adobe has released Flash Player 11.2.202.425 for Linux to correct the following flaws:
* These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-0587, CVE-2014-9164).
* These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2014-8443).
* These updates resolve a stack-based buffer overflow vulnerability that could lead to code execution (CVE-2014-9163).
External References:
https://helpx.adobe.com/security/products/flash-player/apsb14-27.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise L
Krebs
Microsoft, Adobe Push Critical Security Fixes
blogs_krebs·2014-12-10·CVSS 7.8
[HIGH] Microsoft, Adobe Push Critical Security Fixes
If you use Microsoft or Adobe software products, chances are that software is now dangerously out of date. Microsoft today released seven update bundles to fix two dozen security vulnerabilities in Windows and supported software. Adobe pushed patches to correct critical flaws in Acrobat, Reader and Flash Player, including a bug in Flash that already is being exploited.
Four of the seven updates from Microsoft earned a “critical” rating, which means the patches on fix vulnerabilities that can be exploited by malware or attackers to seize control over vulnerable systems without any help from users (save for perhaps visiting a hacked or malicious Web site). One of those critical patches — for Internet Explorer — plugs at least 14 holes in the default Windows browser.
Another critical patch
Krebs
Microsoft, Adobe Push Critical Security Fixes – Krebs on Security
blogs_krebs·2014-12-01·CVSS 7.8
[HIGH] Microsoft, Adobe Push Critical Security Fixes – Krebs on Security
If you use Microsoft or Adobe software products, chances are that software is now dangerously out of date. Microsoft today released seven update bundles to fix two dozen security vulnerabilities in Windows and supported software. Adobe pushed patches to correct critical flaws in Acrobat , Reader and Flash Player , including a bug in Flash that already is being exploited.
Four of the seven updates from Microsoft earned a “critical” rating, which means the patches on fix vulnerabilities that can be exploited by malware or attackers to seize control over vulnerable systems without any help from users (save for perhaps visiting a hacked or malicious Web site). One of those critical patches — for Internet Explorer — plugs at least 14 holes in the default Windows browser.
Another critical patc
2014-12-10
Published
2022-04-13
Added to CISA KEV
Exploited in the wild