What Is Adobe Flash Player?
Adobe Flash Player was the dominant browser multimedia plugin installed on over 90% of desktop computers at its peak, enabling rich interactive content via ActionScript scripting. Its combination of near-universal installation and a large attack surface made it the most-exploited browser plugin in the 2005–2020 era. Zero-day Flash exploits were sold for hundreds of thousands of dollars in exploit markets and were a staple of nation-state APT toolkits. Flash reached end-of-life on December 31, 2020.
Overview
CVE-2014-0502 is a double free vulnerability in Adobe Flash Player, exploited as a zero-day in February 2014 as part of Operation GreedyWonk — a sophisticated watering hole campaign discovered by FireEye. The attackers compromised multiple high-profile websites focused on US and international economic policy, defense analysis, and foreign affairs, using them to silently infect the browsers of visitors who were likely defense and intelligence professionals. The vulnerability was patched in Adobe Security Bulletin APSB14-07 on February 20, 2014.
Affected Versions
| Flash Player | Platform | Vulnerable | Fixed |
|---|---|---|---|
| Flash Player 12.x | Windows/Mac | < 12.0.0.70 | 12.0.0.70 |
| Flash Player 11.x | Windows/Mac | < 11.7.700.269 | 11.7.700.269 |
| Flash Player 11.x | Linux | < 11.2.202.346 | 11.2.202.346 |
Technical Details
Root Cause: Double Free in Flash Memory Management
A double free occurs when program code calls free() (or equivalent memory deallocation) on the same memory region twice. The second free corrupts the heap allocator's metadata — typically by overwriting free-list pointers — which can be exploited to redirect subsequent memory allocations to attacker-controlled locations, enabling arbitrary code execution.
In CVE-2014-0502, a specific sequence of ActionScript operations in a malformed SWF file triggers Flash to free a memory object and then free it again. The exploit leverages this heap corruption to place shellcode in a predictable location (using heap spray) and redirect Flash's code execution to it.
The Operation GreedyWonk campaign additionally paired this Flash exploit with CVE-2014-0322 (an Internet Explorer use-after-free zero-day active simultaneously) — presenting visitors with the most appropriate exploit for their browser configuration.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — embedded SWF on compromised legitimate websites |
| User Interaction | Required (visit the compromised page) |
| Authentication | None |
| Paired exploit | CVE-2014-0322 (IE zero-day) — deployed simultaneously |
| CWE | CWE-415: Double Free |
Discovery
FireEye discovered Operation GreedyWonk on February 13, 2014 during threat intelligence monitoring. The attackers had compromised multiple legitimate websites used by defense and economic policy communities. FireEye coordinated disclosure with Adobe, resulting in an emergency patch (APSB14-07) one week later.
Exploitation Context
- Operation GreedyWonk (FireEye, February 2014): Watering hole attacks on websites used by defense and foreign policy professionals, including think tanks and NGOs focused on economic and international security policy (believed to include institutions like the Council on Foreign Relations)
- Attribution: A Chinese APT group (linked to prior DeputyDog / Operation GreedyWonk cluster) based on targeting patterns, infrastructure, and TTPs
- Paired with IE zero-day: Visiting the compromised sites served CVE-2014-0502 (Flash) for Flash-enabled browsers and CVE-2014-0322 (IE) for Internet Explorer users — maximizing victim coverage
- Targeting rationale: Think tank researchers, government contractors, and policy analysts working on defense, economic, and foreign policy issues — a high-value intelligence target
- Zero-day window: Exploited for approximately one week before the February 20 patch
- CISA KEV (2024): Added to KEV in September 2024, reflecting that Flash-based exploits continue to be used against systems that have not been cleaned up
Remediation
-
Remove Adobe Flash Player. Flash is end-of-life (December 31, 2020) with no further patches. Uninstall it from all systems using Adobe's Flash Player uninstaller or Windows Programs & Features.
-
Verify Flash is absent from all browsers (Chrome, Firefox, Edge, IE) — Flash should not appear in browser plugin lists.
-
Block SWF files at the network perimeter as a defense-in-depth measure: configure web proxy to block
.swffile downloads. -
Conduct threat hunt on systems that were running Flash before removal — check for indicators of prior compromise (persistence mechanisms, unusual scheduled tasks, backdoor processes).
-
For historical reference: original fix was Flash Player 12.0.0.70 or 11.7.700.269+ per APSB14-07.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2014-0502 |
| Vendor / Product | Adobe — Flash Player |
| NVD Published | 2014-02-21 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-415 — Double Free find similar ↗ |
| CISA KEV Added | 2024-09-17 |
| CISA KEV Deadline | 2024-10-08 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2014-02-13 | FireEye discovers active exploitation on defense and foreign policy think tank websites (Operation GreedyWonk) |
| 2014-02-13 | FireEye reports zero-day to Adobe and publishes Operation GreedyWonk blog |
| 2014-02-20 | Adobe Security Bulletin APSB14-07 released; CVE-2014-0502 patched in Flash Player 12.0.0.70 and 11.7.700.269 |
| 2014-02-21 | CVE-2014-0502 published by NVD |
| 2024-09-17 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2024-10-08 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2014-0502 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Adobe Security Bulletin APSB14-07 — Security Updates for Adobe Flash Player | Vendor Advisory |
| FireEye: Operation GreedyWonk — Multiple Economic and Foreign Policy Sites Compromised | Security Research |