CVE-2012-0754

What is Adobe Flash Player?

Adobe Flash Player was a ubiquitous browser plugin and document component that enabled rich multimedia across virtually every platform. At its peak, Flash was installed on over 90% of internet-connected computers, making Flash vulnerabilities among the highest-value targets for attackers. Adobe discontinued Flash Player on December 31, 2020.

Overview

CVE-2012-0754 is a memory corruption vulnerability (CWE-787: out-of-bounds write) in Adobe Flash Player's handling of MP4 file format atoms. Processing a maliciously crafted SWF or MP4 content within Flash Player triggers the out-of-bounds write and allows arbitrary code execution.

The vulnerability was exploited as a zero-day in targeted attacks before Adobe published a patch. Adobe released out-of-band emergency fix APSB12-03 on February 15, 2012, patching both CVE-2012-0754 and the related XSS vulnerability CVE-2012-0767.

Affected Versions

Technical Details

Flash Player's handling of MP4 (MPEG-4) media atoms contained a parsing flaw — when processing a specially crafted MP4 atom with a malformed size or type field, Flash Player copied attacker-controlled data into a fixed-size buffer without checking bounds (CWE-787: out-of-bounds write). This memory corruption could be leveraged to overwrite adjacent heap structures and achieve reliable code execution.

The CVSS Attack Complexity: High rating (AC:H, score 8.1 rather than 9.8) reflects that exploitation required overcoming additional conditions — likely a heap spray or timing-dependent arrangement — making the exploit less trivially reliable than some other Flash vulnerabilities, but still practically exploitable by skilled attackers.

Discovery

The vulnerability was discovered through analysis of targeted attacks. Security researchers identified malicious SWF/Flash content in spear-phishing documents targeting human rights organizations and pro-democracy activists in early 2012, and reported the zero-day to Adobe.

Exploitation Context

CVE-2012-0754 was exploited in highly targeted spear-phishing campaigns against human rights activists, journalists, and pro-democracy organizations — a pattern consistent with nation-state threat actors targeting civil society groups. The exploit was delivered via Flash content embedded in Office documents or malicious web pages.

This was one of multiple Flash zero-days exploited in targeted-attack campaigns during 2011–2012, a period when sophisticated threat actors routinely maintained inventories of Flash vulnerabilities for use in precision strikes against specific organizations.

Remediation

Adobe Flash Player reached end-of-life on December 31, 2020. Organizations should:

1. Verify Flash Player is completely removed from all endpoints
2. Check via Group Policy or endpoint management tools for any remaining installations
3. Audit legacy and OT systems that may have preserved Flash for compatibility — replace or air-gap these systems
4. Block .swf file execution and delivery at email and web gateways