CVE-2013-0648

What is Adobe Flash Player?

Adobe Flash Player was a ubiquitous browser plugin enabling rich multimedia via ActionScript (Flash's scripting language). Flash's ExternalInterface API allows ActionScript code within a SWF to call JavaScript functions in the hosting web page and receive return values. This bidirectional communication bridge between Flash and the browser page was essential for Flash integration — and a recurring source of security vulnerabilities when input crossing the Flash-JavaScript boundary was not properly sanitized. Adobe discontinued Flash Player on December 31, 2020.

Overview

CVE-2013-0648 is an unspecified code execution vulnerability in the ExternalInterface ActionScript functionality of Adobe Flash Player. A malicious SWF file that triggers the vulnerable ExternalInterface code path achieves arbitrary code execution within the Flash process. This vulnerability was chained with CVE-2013-0643 (incorrect Firefox sandbox permissions) to achieve a full sandbox escape — CVE-2013-0648 provides the initial code execution inside Flash, and CVE-2013-0643 leverages excessive sandbox permissions to escape Firefox's plugin containment.

Adobe patched both vulnerabilities in APSB13-08 on February 26, 2013.

Affected Versions

Technical Details

Flash Player's ExternalInterface class provides the mechanism for ActionScript code to invoke JavaScript functions in the hosting HTML page and receive JavaScript values as return data. The vulnerability lies in how Flash processes data received through this interface — a malicious SWF can trigger a code execution condition in the ExternalInterface processing logic when the Flash plugin handles specially crafted data passed through the ActionScript-to-JavaScript communication channel.

The CVE-2013-0648 + CVE-2013-0643 chain:

1. A malicious web page hosts a specially crafted SWF file
2. CVE-2013-0648 is triggered via the ExternalInterface mechanism, achieving code execution inside the sandboxed Flash plugin process
3. CVE-2013-0643 (Firefox sandbox permission misconfiguration) is then exploited from within the Flash process to perform privileged OS operations and escape Firefox's plugin sandbox
4. The attacker achieves full code execution outside the sandbox, with the privileges of the browser user

Discovery

Discovered through analysis of active zero-day exploitation in the wild in February 2013, concurrent with the Adobe Reader zero-day chain (CVE-2013-0640/0641). The simultaneous discovery of two separate two-stage sandbox escape chains in two different Adobe products suggests an active threat actor campaign specifically targeting sandboxed Adobe plugin environments.

Exploitation Context

CISA confirmed exploitation in the wild. The CVE-2013-0648 + CVE-2013-0643 chain was deployed in targeted attacks, delivering malware payloads that bypassed Firefox's plugin sandbox. The sophistication of maintaining two simultaneous zero-days — both an initial Flash code execution exploit and a Firefox sandbox escape — indicates nation-state or highly capable criminal actors.

Remediation

Adobe Flash Player reached end-of-life on December 31, 2020. Organizations should:

1. Verify Flash Player is completely removed from all endpoints
2. Check via endpoint management tools for any remaining Flash installations
3. Audit legacy systems that required Flash — replace or isolate these
4. Block .swf file delivery at email and web content filtering gateways