Lucene search

K
kasperskyKaspersky LabKLA10711
HistoryDec 08, 2015 - 12:00 a.m.

KLA10711 Multiple vulnerabilities in Adobe Flash Player

2015-12-0800:00:00
Kaspersky Lab
threats.kaspersky.com
32

10 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.929 High

EPSS

Percentile

99.0%

Multiple serious vulnerabilities have been found in Adobe products. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions or execute arbitrary code.

Below is a complete list of vulnerabilities

  1. An unknown vulnerability can be exploited remotely to cause denial of service;
  2. Use-after-free, stack based buffer overflow and buffer overflow can be exploited remotely to execute arbitrary code;
  3. An unknown vulnerability can be exploited remotely to bypass security restrictions;
  4. Heap-based buffer overflow can be exploited remotely via a specially designed XML to execute arbitrary code;
  5. Improper SharedObject implementation can be exploited remotely to execute arbitrary code;
  6. Integer overflow at Shader filter can be exploited remotely via a specially designed BitmapData object to execute arbitrary code.

Technical details

Vulnerability (4) related to toString call.

Vulnerability (5) can be triggered via leveraging type confusion during getRemote call.

Vulnerability (6) can be exploited via large BitmapData.
To update Adobe Flash Player ActiveX (detected as Flash.ocx) on Windows 8 and higher, install latest updates from Control Panel

Original advisories

Adobe bulletin

Exploitation

Public exploits exist for this vulnerability.

Related products

Adobe-Flash-Player-ActiveX

Adobe-AIR

Adobe-Flash-Player-NPAPI

Adobe-Flash-Player-PPAPI

CVE list

CVE-2015-8050 critical

CVE-2015-8442 critical

CVE-2015-8064 critical

CVE-2015-8065 critical

CVE-2015-8069 critical

CVE-2015-8068 critical

CVE-2015-8067 critical

CVE-2015-8066 critical

CVE-2015-8402 critical

CVE-2015-8401 critical

CVE-2015-8071 critical

CVE-2015-8070 critical

CVE-2015-8404 critical

CVE-2015-8403 critical

CVE-2015-8047 critical

CVE-2015-8045 critical

CVE-2015-8049 critical

CVE-2015-8048 critical

CVE-2015-8443 critical

CVE-2015-8444 critical

CVE-2015-8428 critical

CVE-2015-8439 critical

CVE-2015-8440 critical

CVE-2015-8441 critical

CVE-2015-8456 critical

CVE-2015-8435 critical

CVE-2015-8436 critical

CVE-2015-8437 critical

CVE-2015-8438 critical

CVE-2015-8431 critical

CVE-2015-8424 critical

CVE-2015-8423 critical

CVE-2015-8420 critical

CVE-2015-8419 critical

CVE-2015-8422 critical

CVE-2015-8421 critical

CVE-2015-8416 critical

CVE-2015-8415 critical

CVE-2015-8418 critical

CVE-2015-8417 critical

CVE-2015-8062 critical

CVE-2015-8405 critical

CVE-2015-8406 critical

CVE-2015-8407 critical

CVE-2015-8408 critical

CVE-2015-8409 critical

CVE-2015-8410 critical

CVE-2015-8411 critical

CVE-2015-8412 critical

CVE-2015-8413 critical

CVE-2015-8414 critical

CVE-2015-8060 critical

CVE-2015-8061 critical

CVE-2015-8058 critical

CVE-2015-8059 critical

CVE-2015-8063 critical

CVE-2015-8057 critical

CVE-2015-8055 critical

CVE-2015-8454 critical

CVE-2015-8453 warning

CVE-2015-8452 critical

CVE-2015-8451 critical

CVE-2015-8450 critical

CVE-2015-8449 critical

CVE-2015-8448 critical

CVE-2015-8447 critical

CVE-2015-8446 critical

CVE-2015-8445 critical

CVE-2015-8427 critical

CVE-2015-8457 critical

CVE-2015-8425 critical

CVE-2015-8426 critical

CVE-2015-8056 critical

CVE-2015-8432 critical

CVE-2015-8429 critical

CVE-2015-8430 critical

CVE-2015-8433 critical

CVE-2015-8434 critical

CVE-2015-8455 critical

Solution

Update to the latest versionGet AIR

Get Flash

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

Affected Products

  • Adobe Flash Player versions earlier than 20.0.0.228Adobe Flash Player ESR versions earlier than 18.0.0.268Adobe Flash Player for Linux versions earlier than 11.2.202.554Adobe AIR versions earlier than 20.0.0.204

10 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.929 High

EPSS

Percentile

99.0%