CVE-2012-0767

What is Adobe Flash Player?

Adobe Flash Player was a ubiquitous browser plugin that enabled rich multimedia across virtually every platform. Because Flash runs embedded within web pages from any domain, it occupies a unique position in the browser's trust model — a Flash-based cross-site scripting (XSS) flaw can be exploited against any site that hosts Flash content, making it a "universal XSS" that bypasses the same-origin policy. Adobe discontinued Flash Player on December 31, 2020.

Overview

CVE-2012-0767 is a cross-site scripting (XSS) vulnerability (CWE-79) in Adobe Flash Player. The flaw allows an attacker to inject and execute malicious JavaScript in the context of any website that hosts Flash content. Because Flash Player is a browser plugin that runs within the trust context of the page that loaded it, an XSS in Flash can effectively be a same-origin policy (SOP) bypass — the malicious script executes with the privileges of the hosting domain, not the attacker's domain.

Adobe patched this in APSB12-03 (February 15, 2012), the same bulletin that fixed the memory corruption vulnerability CVE-2012-0754.

Affected Versions

Technical Details

Flash Player XSS vulnerabilities arise when Flash content (SWF files) can be made to execute attacker-supplied JavaScript in the browser context of the page hosting the Flash object. This is typically possible through:

• Reflected XSS via Flash parameters: Flash objects can accept parameters (FlashVars) that, if not sanitized, can be used to inject HTML/JavaScript into the page
• Cross-domain script injection: Flash's ExternalInterface.call() method can invoke JavaScript in the hosting page; if the SWF does not properly validate input before making this call, an attacker can inject script

Because the CVSS Scope is "Changed" (S:C), the impact extends beyond the Flash Player itself to the browser context — the attacker can execute JavaScript in the origin of any site that hosts Flash, potentially stealing cookies, session tokens, or performing actions on behalf of the victim user.

Discovery

The vulnerability was discovered alongside CVE-2012-0754 through security research and was included in the same emergency APSB12-03 advisory.

Exploitation Context

CISA confirmed in-the-wild exploitation. Flash XSS vulnerabilities were used in phishing and session hijacking campaigns — an attacker who can steal a victim's session cookie from a target site (bank, email provider, corporate application) can take over the account without needing credentials. The "universal" nature of Flash XSS (affecting any site hosting Flash) made this a powerful tool for targeted account compromise.

Remediation

Adobe Flash Player reached end-of-life on December 31, 2020. Organizations should:

1. Verify Flash Player is completely removed from all endpoints
2. Check via endpoint management tools for any remaining Flash installations
3. Audit web applications that historically hosted Flash content — ensure Flash parameters and FlashVars are sanitized even in legacy applications, and replace Flash-based features with HTML5 equivalents
4. Block .swf delivery via email and web content filtering