PROBLEM:
Adobe Flash Player Bugs Let Remote Users Execute Arbitrary Code
PLATFORM:
Adobe Flash Player prior to 11.6.602.171
ABSTRACT:
Several vulnerabilities were reported in Adobe Flash Player.
REFERENCE LINKS:
Adobe Vulnerability identifier: APSB13-08
SecurityTracker Alert ID: 1028210
CVE-2013-0504
CVE-2013-0643
CVE-2013-0648
IMPACT ASSESSMENT:
High
DISCUSSION:
A remote user can create a specially crafted Flash content that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.
A buffer overflow may occur in the Flash Player broker service [CVE-2013-0504]. Mark Yason of IBM X-Force reported this vulnerability.
A permission error may occur in the Flash Player Firefox sandbox [CVE-2013-0643].
A flaw may occur in the ExternalInterface ActionScript feature [CVE-2013-0648].
The later two flaws are being actively exploited against Mozilla Firefox.
IMPACT:
A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.