Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
kasperskyKaspersky LabKLA10711
HistoryDec 08, 2015 - 12:00 a.m.

KLA10711 Multiple vulnerabilities in Adobe Flash Player

2015-12-0800:00:00
Kaspersky Lab
threats.kaspersky.com
32

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

10 High

AI Score

Confidence

High

0.929 High

EPSS

Percentile

99.0%

JSON

Multiple serious vulnerabilities have been found in Adobe products. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions or execute arbitrary code.

Below is a complete list of vulnerabilities

  1. An unknown vulnerability can be exploited remotely to cause denial of service;
  2. Use-after-free, stack based buffer overflow and buffer overflow can be exploited remotely to execute arbitrary code;
  3. An unknown vulnerability can be exploited remotely to bypass security restrictions;
  4. Heap-based buffer overflow can be exploited remotely via a specially designed XML to execute arbitrary code;
  5. Improper SharedObject implementation can be exploited remotely to execute arbitrary code;
  6. Integer overflow at Shader filter can be exploited remotely via a specially designed BitmapData object to execute arbitrary code.

Technical details

Vulnerability (4) related to toString call.

Vulnerability (5) can be triggered via leveraging type confusion during getRemote call.

Vulnerability (6) can be exploited via large BitmapData.
To update Adobe Flash Player ActiveX (detected as Flash.ocx) on Windows 8 and higher, install latest updates from Control Panel

Original advisories

Adobe bulletin

Exploitation

Public exploits exist for this vulnerability.

Related products

Adobe-Flash-Player-ActiveX

Adobe-AIR

Adobe-Flash-Player-NPAPI

Adobe-Flash-Player-PPAPI

CVE list

CVE-2015-8050 critical

CVE-2015-8442 critical

CVE-2015-8064 critical

CVE-2015-8065 critical

CVE-2015-8069 critical

CVE-2015-8068 critical

CVE-2015-8067 critical

CVE-2015-8066 critical

CVE-2015-8402 critical

CVE-2015-8401 critical

CVE-2015-8071 critical

CVE-2015-8070 critical

CVE-2015-8404 critical

CVE-2015-8403 critical

CVE-2015-8047 critical

CVE-2015-8045 critical

CVE-2015-8049 critical

CVE-2015-8048 critical

CVE-2015-8443 critical

CVE-2015-8444 critical

CVE-2015-8428 critical

CVE-2015-8439 critical

CVE-2015-8440 critical

CVE-2015-8441 critical

CVE-2015-8456 critical

CVE-2015-8435 critical

CVE-2015-8436 critical

CVE-2015-8437 critical

CVE-2015-8438 critical

CVE-2015-8431 critical

CVE-2015-8424 critical

CVE-2015-8423 critical

CVE-2015-8420 critical

CVE-2015-8419 critical

CVE-2015-8422 critical

CVE-2015-8421 critical

CVE-2015-8416 critical

CVE-2015-8415 critical

CVE-2015-8418 critical

CVE-2015-8417 critical

CVE-2015-8062 critical

CVE-2015-8405 critical

CVE-2015-8406 critical

CVE-2015-8407 critical

CVE-2015-8408 critical

CVE-2015-8409 critical

CVE-2015-8410 critical

CVE-2015-8411 critical

CVE-2015-8412 critical

CVE-2015-8413 critical

CVE-2015-8414 critical

CVE-2015-8060 critical

CVE-2015-8061 critical

CVE-2015-8058 critical

CVE-2015-8059 critical

CVE-2015-8063 critical

CVE-2015-8057 critical

CVE-2015-8055 critical

CVE-2015-8454 critical

CVE-2015-8453 warning

CVE-2015-8452 critical

CVE-2015-8451 critical

CVE-2015-8450 critical

CVE-2015-8449 critical

CVE-2015-8448 critical

CVE-2015-8447 critical

CVE-2015-8446 critical

CVE-2015-8445 critical

CVE-2015-8427 critical

CVE-2015-8457 critical

CVE-2015-8425 critical

CVE-2015-8426 critical

CVE-2015-8056 critical

CVE-2015-8432 critical

CVE-2015-8429 critical

CVE-2015-8430 critical

CVE-2015-8433 critical

CVE-2015-8434 critical

CVE-2015-8455 critical

Solution

Update to the latest versionGet AIR

Get Flash

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

Affected Products

  • Adobe Flash Player versions earlier than 20.0.0.228Adobe Flash Player ESR versions earlier than 18.0.0.268Adobe Flash Player for Linux versions earlier than 11.2.202.554Adobe AIR versions earlier than 20.0.0.204

Related

suse 3
nessus 5
openvas 1
altlinux 2
archlinux 1
cve 46
ubuntucve 39
prion 32
cvelist 37
nvd 33
suse
suse
Security update for flash-player (important)
2015-12-10 12:10:31
Security update for flash-player (important)
2015-12-10 15:10:22
Security update for flash-player (important)
2015-12-09 20:10:33
nessus
nessus
SUSE SLED12 Security Update : flash-player (SUSE-SU-2015:2247-1)
2015-12-11 00:00:00
openSUSE Security Update : flash-player (openSUSE-2015-882)
2016-01-04 00:00:00
SUSE SLED11 Security Update : flash-player (SUSE-SU-2015:2236-1)
2015-12-11 00:00:00
openvas
openvas
SUSE: Security Advisory for flash-player (SUSE-SU-2015:2247-1)
2015-12-11 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 6 package adobe-flash-player version 3:11-alt57
2015-12-09 00:00:00
Security fix for the ALT Linux 7 package adobe-flash-player version 3:11-alt57
2015-12-09 00:00:00
archlinux
archlinux
flashplugin: multiple issues
2015-12-09 00:00:00
cve
cve
CVE-2015-8057
2015-12-10 05:59:07
CVE-2015-8071
2015-12-10 05:59:22
CVE-2015-8402
2015-12-10 05:59:24
ubuntucve
ubuntucve
CVE-2015-8821
2016-03-04 00:00:00
CVE-2015-8050
2015-12-10 00:00:00
CVE-2015-8065
2015-12-10 00:00:00
prion
prion
Design/Logic Flaw
2015-12-10 05:59:00
Design/Logic Flaw
2015-12-10 05:59:00
Design/Logic Flaw
2015-12-10 05:59:00
cvelist
cvelist
CVE-2015-8048
2015-12-10 02:00:00
CVE-2015-8050
2015-12-10 02:00:00
CVE-2015-8066
2015-12-10 02:00:00
nvd
nvd
CVE-2015-8059
2015-12-10 05:59:09
CVE-2015-8061
2015-12-10 05:59:11
CVE-2015-8064
2015-12-10 05:59:14

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

10 High

AI Score

Confidence

High

0.929 High

EPSS

Percentile

99.0%

JSON
Related for KLA10711
suse3nessus5openvas1altlinux2archlinux1cve46ubuntucve39prion32cvelist37nvd33