You are here

V-100: Adobe Flash Player Bugs Let Remote Users Execute Arbitrary Code

February 27, 2013 - 12:35am

Addthis

PROBLEM:

Adobe Flash Player Bugs Let Remote Users Execute Arbitrary Code

PLATFORM:

Adobe Flash Player prior to 11.6.602.171

ABSTRACT:

Several vulnerabilities were reported in Adobe Flash Player.

REFERENCE LINKS:

Adobe Vulnerability identifier: APSB13-08
SecurityTracker Alert ID:  1028210
CVE-2013-0504
CVE-2013-0643
CVE-2013-0648

IMPACT ASSESSMENT:

High

DISCUSSION:

A remote user can create a specially crafted Flash content that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.

A buffer overflow may occur in the Flash Player broker service [CVE-2013-0504]. Mark Yason of IBM X-Force reported this vulnerability.

A permission error may occur in the Flash Player Firefox sandbox [CVE-2013-0643].

A flaw may occur in the ExternalInterface ActionScript feature [CVE-2013-0648].

The later two flaws are being actively exploited against Mozilla Firefox.

IMPACT:

A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

SOLUTION:

The vendor has issued a fix

Addthis