CVE-2011-0611
CVE-2011-0611
In short
Adobe Flash Player and Reader contain a flaw that lets attackers run malicious code or crash the application by sending specially crafted Flash content, often hidden in Office documents or web pages.
Technical detail
Type confusion vulnerability in Flash Player's handling of grouped constants allows remote code execution or denial of service. Attack vector involves crafted .swf files with size inconsistencies and prototype pollution via ActionScript; successful exploitation requires user interaction (opening document/visiting webpage) and results in arbitrary code execution in the context of the Flash process.
Summary generated and translated by AI from the official description.
Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content; as demonstrated by a Microsoft Office document with an embedded .swf file that has a size inconsistency in a "group of included constants," object type confusion, ActionScript that adds custom functions to prototypes, and Date objects; and as exploited in the wild in April 2011.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 3
cve_referencewww.exploit-db.com/exploits/17175unverifiedexploitdbwww.exploit-db.com/exploits/17473unverifiedexploitdbwww.exploit-db.com/exploits/17175unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspxhttp://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.htmlhttp://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.htmlhttp://googlechromereleases.blogspot.com/2011/04/stable-channel-update.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-04/msg00004.htmlhttp://secunia.com/advisories/44119http://secunia.com/advisories/44141http://secunia.com/advisories/44149http://secunia.com/blog/210/http://securityreason.com/securityalert/8204http://securityreason.com/securityalert/8292https://exchange.xforce.ibmcloud.com/vulnerabilities/66681