Adobe Flash Player SWF Content Regular Expression Heap Overflow

Added: 02/21/2013
CVE: CVE-2013-0634
BID: 57788
OSVDB: 89936

Background

Adobe Flash Player is a cross-platform browser plug-in providing visual enhancements for web pages.

Problem

The ActiveX version of Adobe Flash Player on Windows is vulnerable to heap buffer overflow because it does not properly validate user-supplied input when handling regular expressions in Flash (SWF) content. A remote attacker who persuades a user to open a specially crafted Microsoft Word Document containing SWF content could possibly execute arbitrary code in the context of the user.

Resolution

Upgrade to Adobe Flash Player 10.3.183.51 (in the 10.x range) or 11.5.502.149 or higher on Windows systems.

References

http://www.adobe.com/support/security/bulletins/apsb13-04.html

Limitations

This exploit was tested against Adobe Flash Player 11.5.502.146 on Windows XP SP3 English (with DEP OptIn) and Windows 7 SP1 (with DEP OptIn).

The user must open the exploit file in Internet Explorer 8 or 9 on the target.

Platforms

Windows

Back to exploit index