Zero-day vulnerability in Adobe Flash Player

Buffer overflow

A sample of the first exploit was detected on April 14, while a sample of the second came on April 16. The first exploit was initially recorded by KSN on April 9, when it was detected by a generic heuristic signature.

The disclosed vulnerability was actively exploited and relates to attack via the website of Syrian Ministry of Justice in September, 2013.

Known malware:


Vulnerability details

Advisory: SB2014040901 - Remote code execution in Adobe Flash Player

Vulnerable component: Adobe Flash Player

CVE-ID: CVE-2014-0515

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow, caused by improper bounds checking by the pixel bender component. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Known APT campaigns:

Animal Farm targeting multiple users in Syria

The APT group allegedly of European origin has conducted a watering-hole attack in Syria. According to the report of Kaspersly Lab, the group deployed the Casper Trojan via Adobe Flash Player zero-day vulnerability CVE-2014-0515.

Public Exploits: