CVE-2011-0611
Published: 13 April 2011
Summary
CVE-2011-0611 is a high-severity Type Confusion (CWE-843) vulnerability in Apple Mac Os X. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2011-0611 is a type confusion vulnerability (CWE-843) in the handling of Flash content that manifests through a size inconsistency in a "group of included constants," custom ActionScript prototype modifications, and improper Date object processing. It affects Adobe Flash Player versions before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris (and 10.2.156.12 and earlier on Android), Adobe AIR before 2.6.19140, and the Authplay.dll/AuthPlayLib.bundle component in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows as well as corresponding versions of Reader and Acrobat on Mac OS X.
Remote attackers can exploit the flaw by delivering crafted .swf content, including Microsoft Office documents containing embedded Flash objects, to trigger arbitrary code execution or an application crash. Successful exploitation grants the attacker the ability to run code in the context of the affected process without requiring authentication beyond normal user interaction such as opening a malicious document or viewing a web page.
Publicly available analyses and vendor bulletins from April 2011 document in-the-wild exploitation and recommend immediate application of the vendor-supplied updates that raise Flash Player, AIR, Reader, and Acrobat to the fixed versions listed in the CVE description. Several distributions and browser vendors also issued coordinated advisories to accelerate patching or temporarily restrict Flash execution.
The vulnerability was actively exploited in April 2011, with multiple public write-ups detailing weaponized samples that combined the type confusion primitive with ROP chains to achieve reliable code execution.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2011-0629
Vulnerability details
Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe…
more
Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content; as demonstrated by a Microsoft Office document with an embedded .swf file that has a size inconsistency in a "group of included constants," object type confusion, ActionScript that adds custom functions to prototypes, and Date objects; and as exploited in the wild in April 2011.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that eliminate the type-confusion flaw in Flash, AIR, Reader, and Acrobat.
Explicitly governs the use and execution of mobile code such as Flash (.swf) content, enabling blocking or restriction of the attack vector.
Deploys malicious-code detection mechanisms that can identify and block weaponized .swf files before or during processing.