CVE-2011-0609
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Unspecified vulnerability in Adobe Flash Player 10.2.154.13 and earlier on Windows, Mac OS X, Linux, and Solaris; 10.1.106.16 and earlier on Android; Adobe AIR 2.5.1 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.2 and 10.x through 10.0.1 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, as demonstrated by a .swf file embedded in an Excel spreadsheet, and as exploited in the wild in March 2011.
Analysis
Adobe Flash Player 10.2 and earlier across all platforms contain an unspecified vulnerability allowing remote code execution, exploited in the wild via Flash content embedded in Microsoft Office documents and web pages.
Technical Context
The vulnerability in Flash Player's SWF processing engine allows attackers to achieve arbitrary code execution. The Authplay.dll/AuthPlayLib.bundle component extends the attack surface to PDF documents, since Adobe Reader renders embedded Flash content.
Affected Products
['Adobe Flash Player 10.2.154.13 and earlier (Windows/Mac/Linux/Solaris)', 'Adobe Flash Player 10.1.106.16 and earlier (Android)', 'Adobe AIR 2.5.1 and earlier', 'Authplay.dll in Adobe Reader/Acrobat 9.x/10.x']
Remediation
Flash Player has reached end of life. Remove all Flash Player installations. Ensure browsers block Flash content. Use PDF readers that don't support Flash embedding.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today