SAINT CorporationSAINT:F5ECD4DFD76367D63AB657950643ECE3Adobe Flash Player MP4 Sequence Parameter Set Processing
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.894 High
EPSS
Percentile
98.5%
Added: 02/09/2012
CVE: CVE-2011-2140
BID: 49083
OSVDB: 74439
Background
Adobe Flash Player is a cross-platform browser plug-in providing visual enhancements for web pages.
Problem
The Adobe Flash Player **Sub_1005B396** function allows command execution when a user opens a specially crafted .swf file. The specific vulnerability is triggered when processing data units in the MP4 Sequence Parameter Set.
Resolution
Upgrade the installed version of Adobe Flash Player as described in Adobe Security Bulletin APSB11-21.
References
<http://www.adobe.com/support/security/bulletins/apsb11-21.html>
<http://www.abysssec.com/blog/2012/01/31/exploiting-cve-2011-2140-another-flash-player-vulnerability/>
Limitations
This exploit was tested against Adobe Systems Flash Player 10.3.181.34 on Microsoft Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).
The target host must have JRE 1.6.x installed.
The user must open the exploit page using Internet Explorer 7, 8, or 9.
Platforms
Windows
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.894 High
EPSS
Percentile
98.5%