Advisories

CERT-In Advisory CIAD-2015-0065

Multiple Vulnerabilities in Adobe Flash Player and Adobe AIR

Original Issue Date: November 17, 2015

Severity Rating: High

Software Affected

Adobe Flash Player Desktop Runtime versions 19.0.0.226 and prior for Windows and Macintosh
Adobe Flash Player Extended Support Release versions 18.0.0.255 and prior for Windows and Macintosh
Adobe Flash Player for Google Chrome versions 19.0.0.226 and prior for Windows, Macintosh, Linux and ChromeOS
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 versions 19.0.0.226 and prior for Windows 10
Adobe Flash Player for Internet Explorer 10 and 11 versions 19.0.0.226 and prior for Windows 8.0 and 8.1
Adobe Flash Player versions 11.2.202.540 and prior for Linux
Adobe AIR Desktop Runtime versions 19.0.0.213 and prior
Adobe AIR SDK versions 19.0.0.213 and prior
Adobe AIR SDK & Compiler versions 19.0.0.213 and prior
Adobe AIR for Android versions 19.0.0.190 and prior

Overview

Multiple vulnerabilities have been reported in Adobe Flash Player and Adobe AIR which could allow a remote attacker to execute arbitrary code or bypass security restrictions.

Description

1. Type Confusion Vulnerability ( CVE-2015-7659   )

This vulnerability exists due to unspecified type confusion error in the Net Connection object implementation in Adobe Flash Player and Adobe AIR. A remote attacker could exploit this vulnerability by tricking a user to open a crafted file or visit a web page containing specially crafted content. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code under the context of the current process.

2. Security Bypass Vulnerability ( CVE-2015-7662   )

This Vulnerability exists due to unspecified error in Adobe Flash Player and Adobe AIR. Successful exploitation of this vulnerability could allow a remote attacker to bypass access restrictions and write arbitrary data to the file system under user permissions.

3. Use-After-Free vulnerabilities ( CVE-2015-7651   CVE-2015-7652   CVE-2015-7653   CVE-2015-7654   CVE-2015-7655   CVE-2015-7656   CVE-2015-7657   CVE-2015-7658   CVE-2015-7660   CVE-2015-7661   CVE-2015-7663   CVE-2015-8042   CVE-2015-8043   CVE-2015-8044   CVE-2015-8046   )

These vulnerabilities exist in Adobe Flash Player and Adobe AIR due to use-after-free errors caused while handling specially crafted flash content. A remote attacker could exploit these vulnerabilities by convincing a user to open a crafted file or visit a malicious web page containing specially crafted content. Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code on the targeted system.

Solution

Apply appropriate patch as mentioned in the Adobe security bulletin APSB15-28

Vendor Information

Adobe
https://helpx.adobe.com/security/products/flash-player/apsb15-28.html

References

Security Tracker
http://securitytracker.com/id/1034111

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=42020

CVE Name
CVE-2015-7659
CVE-2015-7651
CVE-2015-7652
CVE-2015-7653
CVE-2015-7654
CVE-2015-7655
CVE-2015-7656
CVE-2015-7657
CVE-2015-7658
CVE-2015-7660
CVE-2015-7661
CVE-2015-7663
CVE-2015-8042
CVE-2015-8043
CVE-2015-8044
CVE-2015-8046
CVE-2015-7662

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India