CVE-2011-0611

What is Adobe Flash Player?

Adobe Flash Player was a ubiquitous browser plugin and document component that enabled rich multimedia — animations, video, and interactive applications — across virtually every platform. At its peak, Flash was installed on over 90% of internet-connected computers. This near-universal presence, combined with the complexity of the Flash runtime, made Flash vulnerabilities among the highest-value targets for attackers throughout the 2000s and 2010s.

Overview

CVE-2011-0611 is a type confusion (CWE-843) vulnerability in Adobe Flash Player that was actively exploited as a zero-day in targeted attacks. The flaw allowed remote attackers to execute arbitrary code or cause a denial of service by delivering specially crafted Flash content — either embedded in Microsoft Word documents or served directly from websites. Adobe released out-of-band emergency patch APSB11-07 in April 2011 after confirming in-the-wild exploitation.

Affected Versions

Technical Details

The vulnerability is a type confusion flaw (CWE-843), where the Flash runtime incorrectly handles an object of one type as if it were a different type. This class of bug can reliably lead to controlled memory corruption and arbitrary code execution because the attacker can predict and manipulate memory layout based on the type substitution.

Attack delivery used two vectors:

• Document-based: malicious Flash content embedded in Word (.doc) files, delivered via spear-phishing
• Web-based: malicious SWF files hosted on attacker-controlled or compromised websites, triggering drive-by downloads when visited in a browser with Flash installed

The network-based CVSS attack vector reflects the web delivery path; user interaction (opening a document or visiting a page) was required in both cases.

Discovery

The vulnerability was discovered through analysis of active attacks. Security researchers, including teams at McAfee, identified and reported the in-the-wild exploitation to Adobe. McAfee documented APT-style spear-phishing campaigns targeting government and defense organizations using this vulnerability in March–April 2011.

Exploitation Context

CVE-2011-0611 was exploited by sophisticated threat actors in targeted campaigns against government agencies and defense sector organizations. Attackers used spear-phishing emails with attached Word documents containing embedded malicious Flash content. Successful exploitation granted arbitrary code execution in the context of the victim user.

This CVE was part of a concentrated wave of Flash zero-day activity in early 2011 — CVE-2011-0609 preceded it by only weeks — indicating either a single threat actor with multiple exploits or parallel campaigns by different groups targeting the same widely deployed attack surface.

Remediation

Adobe Flash Player reached end-of-life on December 31, 2020. Adobe blocked all Flash content from running as of January 12, 2021, and Microsoft distributed a Windows update (KB4577586) to remove Flash. Organizations should:

1. Verify Flash Player is fully removed from all endpoints (Windows, macOS, Linux)
2. Check via Group Policy or endpoint management for any remaining Flash installations
3. Audit legacy or OT systems that may have preserved Flash — replace or air-gap these
4. Block .swf file execution at perimeter and endpoint controls