CVE-2012-1535
Published: 15 August 2012
Summary
CVE-2012-1535 is a high-severity Improper Input Validation (CWE-20) vulnerability in Adobe Flash Player. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2012-1535 is an unspecified vulnerability affecting Adobe Flash Player versions before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux. It stems from flaws in input validation and code generation (CWE-20 and CWE-94) when processing SWF content, enabling memory corruption that can be triggered by malformed files.
Remote attackers can exploit the issue by serving crafted SWF content to victims, achieving arbitrary code execution or denial of service through an application crash. The vulnerability was observed in active exploitation in August 2012, where attackers embedded malicious SWF data inside a Microsoft Word document to target end users who opened the file with an affected Flash Player installed.
Advisories from vendors including openSUSE, Red Hat, and Gentoo direct administrators to apply the corresponding Flash Player updates referenced in their security announcements (such as RHSA-2012-1203) to eliminate the exposure. The flaw received a CVSS 3.1 score of 7.8, reflecting its local attack vector combined with high impact on confidentiality, integrity, and availability when successfully triggered by a user opening untrusted content.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2012-1553
Vulnerability details
Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted SWF content, as exploited…
more
in the wild in August 2012 with SWF content in a Word document.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that eliminate the Flash Player input-validation flaw before crafted SWF content can be processed.
Requires defining and enforcing usage restrictions and security controls for mobile code (Flash SWF) that can execute arbitrary code when opened in documents.
Mandates malicious-code protection mechanisms that can block or detect exploit-laden SWF content delivered via e-mail or documents.