{"id": "RHSA-2015:1913", "hash": "541ab969ed01194b5881a05605361dbd", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2015:1913) Critical: flash-plugin security update", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes three vulnerabilities in Adobe Flash Player. These\nvulnerabilities, detailed in the Adobe Security Bulletin APSB15-27 listed\nin the References section, could allow an attacker to create a specially\ncrafted SWF file that would cause flash-plugin to crash, execute arbitrary\ncode, or disclose sensitive information when the victim loaded a page\ncontaining the malicious SWF content. (CVE-2015-7645, CVE-2015-7647,\nCVE-2015-7648)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 11.2.202.540.\n", "published": "2015-10-16T04:00:00", "modified": "2018-06-07T09:04:21", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://access.redhat.com/errata/RHSA-2015:1913", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2015-7645", "CVE-2015-7647", "CVE-2015-7648"], "lastseen": "2019-05-29T14:35:37", "history": [{"bulletin": {"id": "RHSA-2015:1913", "hash": "", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2015:1913) Critical: flash-plugin security update", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes three vulnerabilities in Adobe Flash Player. These\nvulnerabilities, detailed in the Adobe Security Bulletin APSB15-27 listed\nin the References section, could allow an attacker to create a specially\ncrafted SWF file that would cause flash-plugin to crash, execute arbitrary\ncode, or disclose sensitive information when the victim loaded a page\ncontaining the malicious SWF content. (CVE-2015-7645, CVE-2015-7647,\nCVE-2015-7648)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 11.2.202.540.\n", "published": "2015-10-16T04:00:00", "modified": "2017-03-03T17:17:48", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1913", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2015-7647", "CVE-2015-7648", "CVE-2015-7645"], "lastseen": "2017-03-04T13:18:37", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}}, "objectVersion": "1.4", "affectedPackage": [{"packageFilename": "flash-plugin-11.2.202.540-1.el6_7.i686.rpm", "OS": "RedHat", "arch": "i686", "packageName": "flash-plugin", "OSVersion": "6", "packageVersion": "11.2.202.540-1.el6_7", "operator": "lt"}]}, "lastseen": "2017-03-04T13:18:37", "differentElements": ["modified"], "edition": 1}, {"bulletin": {"id": "RHSA-2015:1913", "hash": "", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2015:1913) Critical: flash-plugin security update", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes three vulnerabilities in Adobe Flash Player. These\nvulnerabilities, detailed in the Adobe Security Bulletin APSB15-27 listed\nin the References section, could allow an attacker to create a specially\ncrafted SWF file that would cause flash-plugin to crash, execute arbitrary\ncode, or disclose sensitive information when the victim loaded a page\ncontaining the malicious SWF content. (CVE-2015-7645, CVE-2015-7647,\nCVE-2015-7648)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 11.2.202.540.\n", "published": "2015-10-16T04:00:00", "modified": "2018-06-07T02:44:23", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1913", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2015-7645", "CVE-2015-7647", "CVE-2015-7648"], "lastseen": "2018-06-06T23:50:43", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}}, "objectVersion": "1.4", "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "arch": "i686", "packageName": "flash-plugin", "packageVersion": "11.2.202.540-1.el6_7", "packageFilename": "flash-plugin-11.2.202.540-1.el6_7.i686.rpm", "operator": "lt"}]}, "lastseen": "2018-06-06T23:50:43", "differentElements": ["modified"], "edition": 2}, {"bulletin": {"id": "RHSA-2015:1913", "hash": "33fb50860af7a8556b6d7bcacd0bbaf2", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2015:1913) Critical: flash-plugin security update", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes three vulnerabilities in Adobe Flash Player. These\nvulnerabilities, detailed in the Adobe Security Bulletin APSB15-27 listed\nin the References section, could allow an attacker to create a specially\ncrafted SWF file that would cause flash-plugin to crash, execute arbitrary\ncode, or disclose sensitive information when the victim loaded a page\ncontaining the malicious SWF content. (CVE-2015-7645, CVE-2015-7647,\nCVE-2015-7648)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 11.2.202.540.\n", "published": "2015-10-16T04:00:00", "modified": "2018-06-07T09:04:21", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1913", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2015-7645", "CVE-2015-7647", "CVE-2015-7648"], "lastseen": "2018-06-07T05:57:19", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7647", "CVE-2015-7648", "CVE-2015-7645"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310131099", "OPENVAS:1361412562310806098", "OPENVAS:1361412562310806500", "OPENVAS:1361412562310806099", "OPENVAS:1361412562310851117", "OPENVAS:1361412562310121422"]}, {"type": "threatpost", "idList": ["THREATPOST:CDE0513442F2DD84DD6387FC918BA3B7", "THREATPOST:2014CF1D3A9B6656582E85B2174C7896", "THREATPOST:3F20438316043C71AAD9C85191711EEE", "THREATPOST:190D2D4CC706E0CF894B62979A2DA309"]}, {"type": "nessus", "idList": ["MACOSX_FLASH_PLAYER_APSB15-27.NASL", "GOOGLE_CHROME_46_0_2490_80.NASL", "FREEBSD_PKG_84147B46E876486DB746339EE45A8BB9.NASL", "REDHAT-RHSA-2015-1913.NASL", "FLASH_PLAYER_APSB15-27.NASL", "MACOSX_GOOGLE_CHROME_46_0_2490_80.NASL", "SMB_KB3105216.NASL", "SUSE_SU-2015-1771-1.NASL", "SUSE_SU-2015-1770-1.NASL", "OPENSUSE-2015-665.NASL"]}, {"type": "kaspersky", "idList": ["KLA10680", "KLA10684"]}, {"type": "archlinux", "idList": ["ASA-201510-12"]}, {"type": "thn", "idList": ["THN:99BDD62C6BCF9B3765B670679C0892A8", "THN:D54E86215DEA786A1CA3FE1849BB230B"]}, {"type": "freebsd", "idList": ["84147B46-E876-486D-B746-339EE45A8BB9"]}, {"type": "symantec", "idList": ["SMNTC-77081"]}, {"type": "exploitdb", "idList": ["EDB-ID:38970", "EDB-ID:38969", "EDB-ID:38490"]}, {"type": "suse", "idList": ["SUSE-SU-2015:1770-1", "SUSE-SU-2015:1771-1", "OPENSUSE-SU-2015:1768-1", "OPENSUSE-SU-2015:1781-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201681902"]}, {"type": "fireeye", "idList": ["FIREEYE:0CAA37548C7EBA899FA1174794304489", "FIREEYE:D549372E644DEECBB7AEE8031D35DA4D", "FIREEYE:50656CA8D413ED51CDE771F0BAB863B5"]}, {"type": "gentoo", "idList": ["GLSA-201511-02"]}, {"type": "redhat", "idList": ["RHSA-2015:2024"]}], "modified": "2018-06-07T05:57:19"}}, "objectVersion": "1.4", "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "arch": "i686", "packageName": "flash-plugin", "packageVersion": "11.2.202.540-1.el6_7", "packageFilename": "flash-plugin-11.2.202.540-1.el6_7.i686.rpm", "operator": "lt"}]}, "lastseen": "2018-06-07T05:57:19", "differentElements": ["cvss"], "edition": 3}], "viewCount": 3, "enchantments": {"score": {"value": 8.6, "vector": "NONE", "modified": "2019-05-29T14:35:37"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7647", "CVE-2015-7648", "CVE-2015-7645"]}, {"type": "kaspersky", "idList": ["KLA10684", "KLA10680"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806099", "OPENVAS:1361412562310131099", "OPENVAS:1361412562310806098", "OPENVAS:1361412562310806500", "OPENVAS:1361412562310851117", "OPENVAS:1361412562310121422"]}, {"type": "archlinux", "idList": ["ASA-201510-12"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_84147B46E876486DB746339EE45A8BB9.NASL", "GOOGLE_CHROME_46_0_2490_80.NASL", "SMB_KB3105216.NASL", "MACOSX_FLASH_PLAYER_APSB15-27.NASL", "FLASH_PLAYER_APSB15-27.NASL", "MACOSX_GOOGLE_CHROME_46_0_2490_80.NASL", "REDHAT-RHSA-2015-1913.NASL", "OPENSUSE-2015-665.NASL", "SUSE_SU-2015-1770-1.NASL", "SUSE_SU-2015-1771-1.NASL"]}, {"type": "freebsd", "idList": ["84147B46-E876-486D-B746-339EE45A8BB9"]}, {"type": "threatpost", "idList": ["THREATPOST:CDE0513442F2DD84DD6387FC918BA3B7", "THREATPOST:2014CF1D3A9B6656582E85B2174C7896", "THREATPOST:3F20438316043C71AAD9C85191711EEE", "THREATPOST:190D2D4CC706E0CF894B62979A2DA309"]}, {"type": "thn", "idList": ["THN:99BDD62C6BCF9B3765B670679C0892A8", "THN:D54E86215DEA786A1CA3FE1849BB230B"]}, {"type": "symantec", "idList": ["SMNTC-77081"]}, {"type": "exploitdb", "idList": ["EDB-ID:38970", "EDB-ID:38969", "EDB-ID:38490"]}, {"type": "suse", "idList": ["SUSE-SU-2015:1771-1", "OPENSUSE-SU-2015:1768-1", "SUSE-SU-2015:1770-1", "OPENSUSE-SU-2015:1781-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201681902"]}, {"type": "fireeye", "idList": ["FIREEYE:0CAA37548C7EBA899FA1174794304489", "FIREEYE:50656CA8D413ED51CDE771F0BAB863B5", "FIREEYE:D549372E644DEECBB7AEE8031D35DA4D"]}, {"type": "gentoo", "idList": ["GLSA-201511-02"]}, {"type": "redhat", "idList": ["RHSA-2015:2024"]}], "modified": "2019-05-29T14:35:37"}, "vulnersScore": 8.6}, "objectVersion": "1.4", "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "arch": "i686", "packageName": "flash-plugin", "packageVersion": "11.2.202.540-1.el6_7", "packageFilename": "flash-plugin-11.2.202.540-1.el6_7.i686.rpm", "operator": "lt"}], "_object_type": "robots.models.redhat.RedHatBulletin", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2019-05-29T18:14:44", "bulletinFamily": "NVD", "description": "Adobe Flash Player before 18.0.0.255 and 19.x before 19.0.0.226 on Windows and OS X and before 11.2.202.540 on Linux allows attackers to execute arbitrary code by leveraging an unspecified \"type confusion,\" a different vulnerability than CVE-2015-7648.\n<a href=\"http://cwe.mitre.org/data/definitions/843.html\">CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')</a>", "modified": "2017-09-13T01:29:00", "id": "CVE-2015-7647", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7647", "published": "2015-10-18T10:59:00", "title": "CVE-2015-7647", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:14:44", "bulletinFamily": "NVD", "description": "Adobe Flash Player before 18.0.0.255 and 19.x before 19.0.0.226 on Windows and OS X and before 11.2.202.540 on Linux allows attackers to execute arbitrary code by leveraging an unspecified \"type confusion,\" a different vulnerability than CVE-2015-7647.\n<a href=\"http://cwe.mitre.org/data/definitions/843.html\">CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')</a>", "modified": "2017-09-13T01:29:00", "id": "CVE-2015-7648", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7648", "published": "2015-10-18T10:59:00", "title": "CVE-2015-7648", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:14:44", "bulletinFamily": "NVD", "description": "Adobe Flash Player 18.x through 18.0.0.252 and 19.x through 19.0.0.207 on Windows and OS X and 11.x through 11.2.202.535 on Linux allows remote attackers to execute arbitrary code via a crafted SWF file, as exploited in the wild in October 2015.", "modified": "2017-07-01T01:29:00", "id": "CVE-2015-7645", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7645", "published": "2015-10-15T10:59:00", "title": "CVE-2015-7645", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2019-03-21T00:14:17", "bulletinFamily": "info", "description": "### *Detect date*:\n10/22/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nGoogle Chrome was updated to address vulnerabilities in Flash Player. For details look at KLA10680.\n\n### *Affected products*:\nGoogle Chrome versions earlier than 46.0.2490.80 (all branches)\n\n### *Solution*:\nUpdate to the latest version. File with name old_chrome can be still detected after update. It caused by Google Chrome update policy which does not remove old versions when installing updates. Try to contact vendor for further delete instructions or ignore such kind of alerts at your own risk. \n[Get Chrome](<https://www.google.com/chrome/browser/desktop/index.html>)\n\n### *Original advisories*:\n[Google release blog entry](<http://feedproxy.google.com/~r/GoogleChromeReleases/~3/EjqdPAk-9T4/stable-channel-update_22.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Google Chrome](<https://threats.kaspersky.com/en/product/Google-Chrome/>)\n\n### *CVE-IDS*:\n[CVE-2015-7647](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7647>)10.0Critical \n[CVE-2015-7648](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7648>)10.0Critical \n[CVE-2015-7645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7645>)9.3Critical", "modified": "2019-03-07T00:00:00", "published": "2015-10-22T00:00:00", "id": "KLA10684", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10684", "title": "\r KLA10684Flash Player update for Google Chrome ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-21T00:15:17", "bulletinFamily": "info", "description": "### *Detect date*:\n10/14/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple type confusion vulnerabilities were found in Adobe Flash Player. By exploiting these vulnerabilities malicious users can execute arbitrary code. This vulnerability can be exploited remotely via a specially designed SWF file or other unknown vectors.\n\n### *Affected products*:\nAdobe Flash Player versions earlier than 19.0.0.226 \nAdobe Flash Player Extended Support Release versions earlier than 18.0.0.255 \nAdobe Flash Player for Linux versions earlier than 11.2.202.540\n\n### *Solution*:\nUpdate to the latest version \n[Get Flash Player](<https://get.adobe.com/flashplayer/>)\n\n### *Original advisories*:\n[Adobe bulletin](<https://helpx.adobe.com/security/products/flash-player/apsa15-05.html>) \n[Adobe bulletin](<https://helpx.adobe.com/security/products/flash-player/apsb15-27.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Adobe Flash Player ActiveX](<https://threats.kaspersky.com/en/product/Adobe-Flash-Player-ActiveX/>)\n\n### *CVE-IDS*:\n[CVE-2015-7647](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7647>)10.0Critical \n[CVE-2015-7648](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7648>)10.0Critical \n[CVE-2015-7645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7645>)9.3Critical", "modified": "2019-03-07T00:00:00", "published": "2015-10-14T00:00:00", "id": "KLA10680", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10680", "title": "\r KLA10680Code execution vulnerability in Adobe Flash Player ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-07-19T22:13:22", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash\n Player and is prone to multiple unspecified vulnerabilities.", "modified": "2019-07-17T00:00:00", "published": "2015-10-16T00:00:00", "id": "OPENVAS:1361412562310806099", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806099", "title": "Adobe Flash Player Unspecified Vulnerability Oct15 (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Unspecified Vulnerability Oct15 (Mac OS X)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806099\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2015-7645\", \"CVE-2015-7647\", \"CVE-2015-7648\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-10-16 15:42:14 +0530 (Fri, 16 Oct 2015)\");\n script_name(\"Adobe Flash Player Unspecified Vulnerability Oct15 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash\n Player and is prone to multiple unspecified vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to some unspecified\n critical vulnerabilities in Adobe Flash Player.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to cause a crash and potentially an attacker to take control of the affected\n system.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player version 8.x through\n 18.0.0.252, 19.x through 19.0.0.207 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 18.0.0.255 or 19.0.0.226 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa15-05.html\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-27.html\");\n script_xref(name:\"URL\", value:\"http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Flash/Player/MacOSX/Version\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_in_range(version:playerVer, test_version:\"19.0\", test_version2:\"19.0.0.207\"))\n{\n fix = \"19.0.0.226\";\n VULN = TRUE;\n}\n\nelse if(version_in_range(version:playerVer, test_version:\"18.0\", test_version2:\"18.0.0.252\"))\n{\n fix = \"18.0.0.255\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = 'Installed version: ' + playerVer + '\\n' +\n 'Fixed version:' + fix + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:37", "bulletinFamily": "scanner", "description": "Mageia Linux Local Security Checks mgasa-2015-0404", "modified": "2018-09-28T00:00:00", "published": "2015-10-19T00:00:00", "id": "OPENVAS:1361412562310131099", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131099", "title": "Mageia Linux Local Check: mgasa-2015-0404", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2015-0404.nasl 11692 2018-09-28 16:55:19Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131099\");\n script_version(\"$Revision: 11692 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-19 07:02:27 +0300 (Mon, 19 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 18:55:19 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2015-0404\");\n script_tag(name:\"insight\", value:\"Adobe Flash Player 11.2.202.540 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system. This update resolves type confusion vulnerabilities that could lead to code execution (CVE-2015-7645, CVE-2015-7647, CVE-2015-7648). An exploit for CVE-2015-7645 is being used in the wild.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2015-0404.html\");\n script_cve_id(\"CVE-2015-7645\", \"CVE-2015-7647\", \"CVE-2015-7648\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2015-0404\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"flash-player-plugin\", rpm:\"flash-player-plugin~11.2.202.540~1.mga5.nonfree\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-19T22:13:57", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash\n Player and is prone to multiple unspecified vulnerabilities.", "modified": "2019-07-17T00:00:00", "published": "2015-10-16T00:00:00", "id": "OPENVAS:1361412562310806500", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806500", "title": "Adobe Flash Player Unspecified Vulnerability Oct15 (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Unspecified Vulnerability Oct15 (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806500\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2015-7645\", \"CVE-2015-7647\", \"CVE-2015-7648\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-10-16 15:46:37 +0530 (Fri, 16 Oct 2015)\");\n script_name(\"Adobe Flash Player Unspecified Vulnerability Oct15 (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash\n Player and is prone to multiple unspecified vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to some unspecified\n critical vulnerabilities in Adobe Flash Player.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to cause a crash and potentially an attacker to take control of the affected\n system.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player versions 11.x through\n 11.2.202.535 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 11.2.202.540 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa15-05.html\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-27.html\");\n script_xref(name:\"URL\", value:\"http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_lin.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Linux/Ver\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_in_range(version:playerVer, test_version:\"11.0\", test_version2:\"11.2.202.535\"))\n{\n report = 'Installed version: ' + playerVer + '\\n' +\n 'Fixed version: 11.2.202.540 \\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-19T22:13:45", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash\n Player and is prone to multiple unspecified vulnerabilities.", "modified": "2019-07-17T00:00:00", "published": "2015-10-16T00:00:00", "id": "OPENVAS:1361412562310806098", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806098", "title": "Adobe Flash Player Unspecified Vulnerability Oct15 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Unspecified Vulnerability Oct15 (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806098\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2015-7645\", \"CVE-2015-7647\", \"CVE-2015-7648\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-10-16 15:53:08 +0530 (Fri, 16 Oct 2015)\");\n script_name(\"Adobe Flash Player Unspecified Vulnerability Oct15 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash\n Player and is prone to multiple unspecified vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to some unspecified\n critical vulnerabilities in Adobe Flash Player.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to cause a crash and potentially an attacker to take control of the affected\n system.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player version 18.x through 18.0.0.252\n 19.x through 19.0.0.207 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 18.0.0.255 or 19.0.0.226 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa15-05.html\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-27.html\");\n script_xref(name:\"URL\", value:\"http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Win/Installed\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_in_range(version:playerVer, test_version:\"19.0\", test_version2:\"19.0.0.207\"))\n{\n fix = \"19.0.0.226\";\n VULN = TRUE;\n}\n\nelse if(version_in_range(version:playerVer, test_version:\"18.0\", test_version2:\"18.0.0.252\"))\n{\n fix = \"18.0.0.255\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = 'Installed version: ' + playerVer + '\\n' +\n 'Fixed version:' + fix + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:04", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2015-10-17T00:00:00", "id": "OPENVAS:1361412562310851117", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851117", "title": "SuSE Update for flash-player SUSE-SU-2015:1770-1 (flash-player)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2015_1770_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for flash-player SUSE-SU-2015:1770-1 (flash-player)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851117\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-17 08:18:39 +0200 (Sat, 17 Oct 2015)\");\n script_cve_id(\"CVE-2015-7645\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for flash-player SUSE-SU-2015:1770-1 (flash-player)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'flash-player'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n\n - CVE-2015-7645: Critical vulnerability affecting 11.2.202.535 used in\n Pawn Storm (APSA15-05) (bsc#950474).\");\n script_tag(name:\"affected\", value:\"flash-player on SUSE Linux Enterprise Desktop 12\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"SUSE-SU\", value:\"2015:1770_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLED12\\.0SP0\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"SLED12.0SP0\")\n{\n\n if ((res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~11.2.202.540~108.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"flash-player-gnome\", rpm:\"flash-player-gnome~11.2.202.540~108.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:09", "bulletinFamily": "scanner", "description": "Gentoo Linux Local Security Checks GLSA 201511-02", "modified": "2018-10-26T00:00:00", "published": "2015-11-17T00:00:00", "id": "OPENVAS:1361412562310121422", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121422", "title": "Gentoo Security Advisory GLSA 201511-02", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201511-02.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121422\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-11-17 17:06:23 +0200 (Tue, 17 Nov 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201511-02\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201511-02\");\n script_cve_id(\"CVE-2015-5569\", \"CVE-2015-7625\", \"CVE-2015-7626\", \"CVE-2015-7627\", \"CVE-2015-7628\", \"CVE-2015-7629\", \"CVE-2015-7630\", \"CVE-2015-7631\", \"CVE-2015-7632\", \"CVE-2015-7633\", \"CVE-2015-7634\", \"CVE-2015-7643\", \"CVE-2015-7644\", \"CVE-2015-7645\", \"CVE-2015-7646\", \"CVE-2015-7647\", \"CVE-2015-7648\", \"CVE-2015-7651\", \"CVE-2015-7652\", \"CVE-2015-7653\", \"CVE-2015-7654\", \"CVE-2015-7655\", \"CVE-2015-7656\", \"CVE-2015-7657\", \"CVE-2015-7658\", \"CVE-2015-7659\", \"CVE-2015-7660\", \"CVE-2015-7661\", \"CVE-2015-7662\", \"CVE-2015-7663\", \"CVE-2015-8042\", \"CVE-2015-8043\", \"CVE-2015-8044\", \"CVE-2015-8046\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201511-02\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"www-plugins/adobe-flash\", unaffected: make_list(\"ge 11.2.202.548\"), vulnerable: make_list(\"lt 11.2.202.548\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:01", "bulletinFamily": "unix", "description": "\nAdobe reports:\n\nThese updates resolve type confusion vulnerabilities that\n\t could lead to code execution (CVE-2015-7645, CVE-2015-7647,\n\t CVE-2015-7648).\n\n", "modified": "2015-10-16T00:00:00", "published": "2015-10-16T00:00:00", "id": "84147B46-E876-486D-B746-339EE45A8BB9", "href": "https://vuxml.freebsd.org/freebsd/84147b46-e876-486d-b746-339ee45a8bb9.html", "title": "flash -- remote code execution", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-02-21T01:25:13", "bulletinFamily": "scanner", "description": "Adobe reports :\n\nThese updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2015-7645, CVE-2015-7647, CVE-2015-7648).", "modified": "2018-11-10T00:00:00", "id": "FREEBSD_PKG_84147B46E876486DB746339EE45A8BB9.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86433", "published": "2015-10-19T00:00:00", "title": "FreeBSD : flash -- remote code execution (84147b46-e876-486d-b746-339ee45a8bb9)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86433);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2018/11/10 11:49:44\");\n\n script_cve_id(\"CVE-2015-7645\", \"CVE-2015-7647\", \"CVE-2015-7648\");\n\n script_name(english:\"FreeBSD : flash -- remote code execution (84147b46-e876-486d-b746-339ee45a8bb9)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Adobe reports :\n\nThese updates resolve type confusion vulnerabilities that could lead\nto code execution (CVE-2015-7645, CVE-2015-7647, CVE-2015-7648).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-27.html\"\n );\n # https://vuxml.freebsd.org/freebsd/84147b46-e876-486d-b746-339ee45a8bb9.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d22115d2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-c6-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-c6_64-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-f10-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"linux-c6-flashplugin<11.2r202.540\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-f10-flashplugin<11.2r202.540\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-c6_64-flashplugin<11.2r202.540\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:25:17", "bulletinFamily": "scanner", "description": "The version of Google Chrome installed on the remote Mac OS X host is prior to 46.0.2490.80. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow a remote attacker to execute arbitrary code. (CVE-2015-7645, CVE-2015-7647, CVE-2015-7648)", "modified": "2018-07-14T00:00:00", "id": "MACOSX_GOOGLE_CHROME_46_0_2490_80.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86599", "published": "2015-10-26T00:00:00", "title": "Google Chrome < 46.0.2490.80 Multiple Vulnerabilities (Mac OS X)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86599);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\n \"CVE-2015-7645\",\n \"CVE-2015-7647\",\n \"CVE-2015-7648\"\n );\n\n script_name(english:\"Google Chrome < 46.0.2490.80 Multiple Vulnerabilities (Mac OS X)\");\n script_summary(english:\"Checks the version number of Google Chrome.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host contains a web browser that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Mac OS X host is\nprior to 46.0.2490.80. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Multiple type confusion errors exist that allow a remote\n attacker to execute arbitrary code. (CVE-2015-7645,\n CVE-2015-7647, CVE-2015-7648)\");\n # http://googlechromereleases.blogspot.com/2015/10/stable-channel-update_22.html\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?db041d42\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-27.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome 46.0.2490.80 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2015/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2015/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/26\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"MacOSX/Google Chrome/Installed\");\n\ngoogle_chrome_check_version(fix:'46.0.2490.80', severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:25:13", "bulletinFamily": "scanner", "description": "The version of Adobe Flash Player installed on the remote Windows host is equal or prior to version 19.0.0.207. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow a remote attacker to execute arbitrary code. (CVE-2015-7645, CVE-2015-7647, CVE-2015-7648)", "modified": "2018-07-11T00:00:00", "id": "FLASH_PLAYER_APSB15-27.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86423", "published": "2015-10-19T00:00:00", "title": "Adobe Flash Player <= 19.0.0.207 Vulnerability (APSB15-27)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86423);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/07/11 17:09:26\");\n\n script_cve_id(\n \"CVE-2015-7645\",\n \"CVE-2015-7647\",\n \"CVE-2015-7648\"\n );\n\n script_name(english:\"Adobe Flash Player <= 19.0.0.207 Vulnerability (APSB15-27)\");\n script_summary(english:\"Checks the version of Flash Player.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote Windows host\nis equal or prior to version 19.0.0.207. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow a remote\n attacker to execute arbitrary code. (CVE-2015-7645,\n CVE-2015-7647, CVE-2015-7648)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-27.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 19.0.0.226 or later.\n\nAlternatively, Adobe has made version 18.0.0.255 available for those\ninstallations that cannot be upgraded to the latest version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"flash_player_installed.nasl\");\n script_require_keys(\"SMB/Flash_Player/installed\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Flash_Player/installed\");\n\n# Identify vulnerable versions.\ninfo = \"\";\nvariants = make_list(\n \"Plugin\",\n \"ActiveX\",\n \"Chrome\",\n \"Chrome_Pepper\"\n);\n\n# we're checking for versions less than *or equal to* the cutoff!\nforeach variant (variants)\n{\n vers = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/Version/*\");\n files = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/File/*\");\n\n if(isnull(vers) || isnull(files))\n continue;\n\n foreach key (keys(vers))\n {\n ver = vers[key];\n if(isnull(ver))\n continue;\n\n vuln = FALSE;\n\n # Chrome Flash <= 19.0.0.207\n if(variant == \"Chrome_Pepper\" &&\n ver_compare(ver:ver,fix:\"19.0.0.207\",strict:FALSE) <= 0\n ) vuln = TRUE;\n\n # <= 18.0.0.252\n if(variant != \"Chrome_Pepper\" &&\n ver_compare(ver:ver,fix:\"18.0.0.252\",strict:FALSE) <= 0\n ) vuln = TRUE;\n\n # 19 <= 19.0.0.207\n if(variant != \"Chrome_Pepper\" &&\n ver =~ \"^(?:19|[2-9]\\d)\\.\" &&\n ver_compare(ver:ver,fix:\"19.0.0.207\",strict:FALSE) <= 0\n ) vuln = TRUE;\n\n if(vuln)\n {\n num = key - (\"SMB/Flash_Player/\"+variant+\"/Version/\");\n file = files[\"SMB/Flash_Player/\"+variant+\"/File/\"+num];\n if (variant == \"Plugin\")\n {\n info += '\\n Product : Browser Plugin (for Firefox / Netscape / Opera)';\n fix = \"19.0.0.226 / 18.0.0.255\";\n }\n else if (variant == \"ActiveX\")\n {\n info += '\\n Product : ActiveX control (for Internet Explorer)';\n fix = \"19.0.0.226 / 18.0.0.255\";\n }\n else if (\"Chrome\" >< variant)\n {\n info += '\\n Product : Browser Plugin (for Google Chrome)';\n if(variant == \"Chrome\")\n fix = \"Upgrade to a version of Google Chrome running Flash Player 19.0.0.225\";\n }\n info += '\\n Path : ' + file +\n '\\n Installed version : ' + ver;\n if (variant == \"Chrome_Pepper\")\n info += '\\n Fixed version : 19.0.0.225 (Chrome PepperFlash)';\n else if(!isnull(fix))\n info += '\\n Fixed version : '+fix;\n info += '\\n';\n }\n }\n}\n\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0) security_hole(port:port, extra:info);\n else security_hole(port);\n}\nelse\n{\n if (thorough_tests)\n exit(0, 'No vulnerable versions of Adobe Flash Player were found.');\n else\n exit(1, 'Google Chrome\\'s built-in Flash Player may not have been detected because the \\'Perform thorough tests\\' setting was not enabled.');\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:25:13", "bulletinFamily": "scanner", "description": "An updated Adobe Flash Player package that fixes three security issues is now available for Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.\n\nThis update fixes three vulnerabilities in Adobe Flash Player. These vulnerabilities, detailed in the Adobe Security Bulletin APSB15-27 listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content.\n(CVE-2015-7645, CVE-2015-7647, CVE-2015-7648)\n\nAll users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.540.", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2015-1913.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86439", "published": "2015-10-19T00:00:00", "title": "RHEL 6 : flash-plugin (RHSA-2015:1913)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1913. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86439);\n script_version(\"2.13\");\n script_cvs_date(\"Date: 2018/11/10 11:49:54\");\n\n script_cve_id(\"CVE-2015-7645\", \"CVE-2015-7647\", \"CVE-2015-7648\");\n script_xref(name:\"RHSA\", value:\"2015:1913\");\n\n script_name(english:\"RHEL 6 : flash-plugin (RHSA-2015:1913)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An updated Adobe Flash Player package that fixes three security issues\nis now available for Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe\nFlash Player web browser plug-in.\n\nThis update fixes three vulnerabilities in Adobe Flash Player. These\nvulnerabilities, detailed in the Adobe Security Bulletin APSB15-27\nlisted in the References section, could allow an attacker to create a\nspecially crafted SWF file that would cause flash-plugin to crash,\nexecute arbitrary code, or disclose sensitive information when the\nvictim loaded a page containing the malicious SWF content.\n(CVE-2015-7645, CVE-2015-7647, CVE-2015-7648)\n\nAll users of Adobe Flash Player should install this updated package,\nwhich upgrades Flash Player to version 11.2.202.540.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-27.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:1913\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7648\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7645\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7647\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected flash-plugin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:flash-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:1913\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", reference:\"flash-plugin-11.2.202.540-1.el6_7\")) flag++;\n\n\n if (flag)\n {\n flash_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check only applies to RedHat released\\n' +\n 'versions of the flash-plugin package. This check does not apply to\\n' +\n 'Adobe released versions of the flash-plugin package, which are\\n' +\n 'versioned similarly and cause collisions in detection.\\n\\n' +\n\n 'If you are certain you are running the Adobe released package of\\n' +\n 'flash-plugin and are running a version of it equal or higher to the\\n' +\n 'RedHat version listed above then you can consider this a false\\n' +\n 'positive.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat() + flash_plugin_caveat\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-plugin\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:25:17", "bulletinFamily": "scanner", "description": "The version of Google Chrome installed on the remote Windows host is prior to 46.0.2490.80. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow a remote attacker to execute arbitrary code. (CVE-2015-7645, CVE-2015-7647, CVE-2015-7648)", "modified": "2018-07-12T00:00:00", "id": "GOOGLE_CHROME_46_0_2490_80.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86598", "published": "2015-10-26T00:00:00", "title": "Google Chrome < 46.0.2490.80 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86598);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/07/12 19:01:16\");\n\n script_cve_id(\n \"CVE-2015-7645\",\n \"CVE-2015-7647\",\n \"CVE-2015-7648\"\n );\n\n script_name(english:\"Google Chrome < 46.0.2490.80 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version number of Google Chrome.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a web browser that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is\nprior to 46.0.2490.80. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Multiple type confusion errors exist that allow a remote\n attacker to execute arbitrary code. (CVE-2015-7645,\n CVE-2015-7647, CVE-2015-7648)\");\n # http://googlechromereleases.blogspot.com/2015/10/stable-channel-update_22.html\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?db041d42\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-27.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome 46.0.2490.80 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2015/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2015/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/26\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"SMB/Google_Chrome/Installed\");\ninstalls = get_kb_list(\"SMB/Google_Chrome/*\");\n\ngoogle_chrome_check_version(installs:installs, fix:'46.0.2490.80', severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:25:13", "bulletinFamily": "scanner", "description": "The remote Windows host is missing KB3105216. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow a remote attacker to execute arbitrary code. (CVE-2015-7645, CVE-2015-7647, CVE-2015-7648)", "modified": "2018-11-15T00:00:00", "id": "SMB_KB3105216.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86469", "published": "2015-10-20T00:00:00", "title": "MS KB3105216: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86469);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\n \"CVE-2015-7645\",\n \"CVE-2015-7647\",\n \"CVE-2015-7648\"\n );\n script_xref(name:\"MSKB\", value:\"3105216\");\n\n script_name(english:\"MS KB3105216: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge\");\n script_summary(english:\"Checks the version of the ActiveX control.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing KB3105216. It is, therefore,\naffected by multiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow a remote\n attacker to execute arbitrary code. (CVE-2015-7645,\n CVE-2015-7647, CVE-2015-7648)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-27.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/3105216/microsoft-security-advisory-update-for-vulnerabilities-in-adobe-flash\");\n script_set_attribute(attribute:\"solution\", value:\"Install Microsoft KB3105216.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2015/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2015/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/20\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_activex_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nif (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, \"activex_init()\");\n\n# Adobe Flash Player CLSID\nclsid = '{D27CDB6E-AE6D-11cf-96B8-444553540000}';\n\nfile = activex_get_filename(clsid:clsid);\nif (isnull(file))\n{\n activex_end();\n audit(AUDIT_FN_FAIL, \"activex_get_filename\", \"NULL\");\n}\nif (!file)\n{\n activex_end();\n audit(AUDIT_ACTIVEX_NOT_FOUND, clsid);\n}\n\n# Get its version.\nversion = activex_get_fileversion(clsid:clsid);\nif (!version)\n{\n activex_end();\n audit(AUDIT_VER_FAIL, file);\n}\n\ninfo = '';\n\niver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(iver); i++)\n iver[i] = int(iver[i]);\niver = join(iver, sep:\".\");\n\n# all < 18.0.0.255 or 19 < 19.0.0.226\nfix = FALSE;\nif(iver =~ \"^19\\.\" && ver_compare(ver:iver, fix:\"19.0.0.226\", strict:FALSE) < 0)\n fix = \"19.0.0.226\";\nelse if(ver_compare(ver:iver, fix:\"18.0.0.255\", strict:FALSE) < 0)\n fix = \"18.0.0.255\";\n\nif (\n (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0) &&\n fix\n)\n{\n info = '\\n Path : ' + file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n}\n\nport = kb_smb_transport();\n\nif (info != '')\n{\n if (report_verbosity > 0)\n {\n if (report_paranoia > 1)\n {\n report = info +\n '\\n' +\n 'Note, though, that Nessus did not check whether the kill bit was\\n' +\n \"set for the control's CLSID because of the Report Paranoia setting\" + '\\n' +\n 'in effect when this scan was run.\\n';\n }\n else\n {\n report = info +\n '\\n' +\n 'Moreover, its kill bit is not set so it is accessible via Internet\\n' +\n 'Explorer.\\n';\n }\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:25:13", "bulletinFamily": "scanner", "description": "The version of Adobe Flash Player installed on the remote Mac OS X host is equal or prior to version 19.0.0.207. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow a remote attacker to execute arbitrary code. (CVE-2015-7645, CVE-2015-7647, CVE-2015-7648)", "modified": "2018-07-14T00:00:00", "id": "MACOSX_FLASH_PLAYER_APSB15-27.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86424", "published": "2015-10-19T00:00:00", "title": "Adobe Flash Player for Mac <= 19.0.0.207 Vulnerability (APSB15-27)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86424);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\n \"CVE-2015-7645\",\n \"CVE-2015-7647\",\n \"CVE-2015-7648\"\n );\n\n script_name(english:\"Adobe Flash Player for Mac <= 19.0.0.207 Vulnerability (APSB15-27)\");\n script_summary(english:\"Checks the version of Flash Player.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote Mac OS X\nhost is equal or prior to version 19.0.0.207. It is, therefore,\naffected by multiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow a remote\n attacker to execute arbitrary code. (CVE-2015-7645,\n CVE-2015-7647, CVE-2015-7648)\");\n\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-27.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 19.0.0.226 or later.\n\nAlternatively, Adobe has made version 18.0.0.255 available for those\ninstallations that cannot be upgraded to the latest version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_flash_player_installed.nasl\");\n script_require_keys(\"MacOSX/Flash_Player/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"MacOSX/Flash_Player/Version\");\npath = get_kb_item_or_exit(\"MacOSX/Flash_Player/Path\");\n\nif (version =~ \"^19\\.\")\n{\n cutoff_version = \"19.0.0.207\";\n fix = \"19.0.0.226\";\n}\nelse\n{\n cutoff_version = \"18.0.0.252\";\n fix = \"18.0.0.255\";\n}\n# we're checking for versions less than or equal to the cutoff!\nif (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Flash Player for Mac\", version, path);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:25:13", "bulletinFamily": "scanner", "description": "flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-7645: Critical vulnerability affecting 11.2.202.535 used in Pawn Storm (APSA15-05) (bsc#950474).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-29T00:00:00", "id": "SUSE_SU-2015-1770-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86441", "published": "2015-10-19T00:00:00", "title": "SUSE SLED12 Security Update : flash-player (SUSE-SU-2015:1770-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:1770-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86441);\n script_version(\"2.11\");\n script_cvs_date(\"Date: 2018/11/29 12:03:38\");\n\n script_cve_id(\"CVE-2015-7645\");\n\n script_name(english:\"SUSE SLED12 Security Update : flash-player (SUSE-SU-2015:1770-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-7645: Critical vulnerability affecting\n 11.2.202.535 used in Pawn Storm (APSA15-05)\n (bsc#950474).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=950474\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7645/\"\n );\n # https://www.suse.com/support/update/announcement/2015/suse-su-20151770-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dec140f2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12 :\n\nzypper in -t patch SUSE-SLE-WE-12-2015-707=1\n\nSUSE Linux Enterprise Desktop 12 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-2015-707=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED12\" && (! ereg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"flash-player-11.2.202.540-108.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"flash-player-gnome-11.2.202.540-108.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:25:13", "bulletinFamily": "scanner", "description": "flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-7645: Critical vulnerability affecting 11.2.202.535 used in Pawn Storm (APSA15-05) (bsc#950474).", "modified": "2015-11-17T00:00:00", "id": "OPENSUSE-2015-665.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86436", "published": "2015-10-19T00:00:00", "title": "openSUSE Security Update : flash-player (openSUSE-2015-665)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-665.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86436);\n script_version(\"$Revision: 2.5 $\");\n script_cvs_date(\"$Date: 2015/11/17 18:50:40 $\");\n\n script_cve_id(\"CVE-2015-7645\");\n\n script_name(english:\"openSUSE Security Update : flash-player (openSUSE-2015-665)\");\n script_summary(english:\"Check for the openSUSE-2015-665 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-7645: Critical vulnerability affecting\n 11.2.202.535 used in Pawn Storm (APSA15-05)\n (bsc#950474).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=950474\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected flash-player packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-kde4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1|SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1 / 13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-11.2.202.540-141.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-gnome-11.2.202.540-141.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-kde4-11.2.202.540-141.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-11.2.202.540-2.76.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-gnome-11.2.202.540-2.76.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-kde4-11.2.202.540-2.76.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player / flash-player-gnome / flash-player-kde4\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:25:13", "bulletinFamily": "scanner", "description": "flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-7645: Critical vulnerability affecting 11.2.202.535 used in Pawn Storm (APSA15-05) (bsc#950474).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-29T00:00:00", "id": "SUSE_SU-2015-1771-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86442", "published": "2015-10-19T00:00:00", "title": "SUSE SLED11 Security Update : flash-player (SUSE-SU-2015:1771-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:1771-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86442);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2018/11/29 12:03:38\");\n\n script_cve_id(\"CVE-2015-7645\");\n\n script_name(english:\"SUSE SLED11 Security Update : flash-player (SUSE-SU-2015:1771-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-7645: Critical vulnerability affecting\n 11.2.202.535 used in Pawn Storm (APSA15-05)\n (bsc#950474).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=950474\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7645/\"\n );\n # https://www.suse.com/support/update/announcement/2015/suse-su-20151771-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4941a351\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Desktop 11-SP4 :\n\nzypper in -t patch sledsp4-flash-player-12139=1\n\nSUSE Linux Enterprise Desktop 11-SP3 :\n\nzypper in -t patch sledsp3-flash-player-12139=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player-kde4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"i386|i486|i586|i686|x86_64\") audit(AUDIT_ARCH_NOT, \"i386 / i486 / i586 / i686 / x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED11\" && (! ereg(pattern:\"^(3|4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED11 SP3/4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"flash-player-11.2.202.540-0.23.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"flash-player-gnome-11.2.202.540-0.23.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"flash-player-kde4-11.2.202.540-0.23.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"flash-player-11.2.202.540-0.23.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"flash-player-gnome-11.2.202.540-0.23.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"flash-player-kde4-11.2.202.540-0.23.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"flash-player-11.2.202.540-0.23.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"flash-player-gnome-11.2.202.540-0.23.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"flash-player-kde4-11.2.202.540-0.23.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"flash-player-11.2.202.540-0.23.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"flash-player-gnome-11.2.202.540-0.23.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"flash-player-kde4-11.2.202.540-0.23.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:48", "bulletinFamily": "unix", "description": "Several critical type confusion vulnerabilities (CVE-2015-7645,\nCVE-2015-7647, CVE-2015-7648) have been identified in Adobe Flash Player\n11.2.202.535 and earlier 11.x versions for Linux. Successful\nexploitation could cause a crash and potentially allow an attacker to\ntake control of the affected system.\n\nAdobe is aware of a report that an exploit for the CVE-2015-7645\nvulnerability is being used in limited, targeted attacks.", "modified": "2015-10-18T00:00:00", "published": "2015-10-18T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-October/000414.html", "id": "ASA-201510-12", "title": "flashplugin: arbitrary code execution", "type": "archlinux", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:56:09", "bulletinFamily": "info", "description": "Adobe has decided to patch the zero day vulnerability that was disclosed in Flash Player earlier this week today \u2014 instead of next week as [originally scheduled](<https://threatpost.com/emergency-adobe-flash-update-coming-next-week/115050/>).\n\nAccording to a security bulletin Adobe [posted this morning](<https://threatpost.com/emergency-adobe-flash-update-coming-next-week/115050/>) the update actually fixes three vulnerabilities in the software, but the most pressing one is the zero day, CVE-2015-7645, the company said is being used in limited, targeted attacks.\n\nThe flaw, a type confusion vulnerability, has been tied to attacks carried out by a Russian-speaking APT group operating under the guise of Pawn Storm, or APT 28. Type confusion vulnerabilities occur when code doesn\u2019t verify the type of object that\u2019s passed to it, and uses it without type-checking.\n\nResearchers with Trend Micro, who discovered the zero day, said this week that exploits leveraging CVE-2015-7645 were being circulated via spear phishing emails targeting foreign affairs ministries. The attack vector is right in Pawn Storm\u2019s wheelhouse. In the past the group has been spotted targeting NATO, Eastern European government agencies, and other critical industries.\n\nThe patch also addresses two other type confusion vulnerabilities, CVE-2015-7647 and CVE-2015-7648, both discovered by Natalie Silvanovich, a researcher with Google\u2019s Project Zero.\n\nAll of the bugs could lead to code execution and potentially allow an attacker to take control of the affected system.\n\nThe latest version, 19.0.0.226 for both Windows and Macintosh, trumps what was thought to be week\u2019s only update, 19.0.0.207, [pushed out just three days ago](<https://threatpost.com/adobe-patches-69-vulnerabilities-in-reader-acrobat-flash/115005/>), alongside patched versions of Acrobat and Reader, as part of Patch Tuesday.\n", "modified": "2015-10-16T17:08:45", "published": "2015-10-16T12:12:28", "id": "THREATPOST:CDE0513442F2DD84DD6387FC918BA3B7", "href": "https://threatpost.com/emergency-adobe-flash-zero-day-patch-arrives-ahead-of-schedule/115073/", "type": "threatpost", "title": "Emergency Adobe Flash Zero Day Patch Arrives Ahead of Schedule", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:09", "bulletinFamily": "info", "description": "The [latest version of Adobe Flash Player](<https://threatpost.com/adobe-patches-69-vulnerabilities-in-reader-acrobat-flash/115005/>), which was made available on Tuesday, will have a short shelf life.\n\nAdobe will release an [emergency Flash update](<https://helpx.adobe.com/security/products/flash-player/apsa15-05.html>) next week after public attacks were carried out against a zero day vulnerability in the latest version of the software, 19.0.0.207, for Windows and Macintosh systems.\n\nAdobe said only that the Flash update will be available the week of Oct. 19; no specific date was set.\n\nThe attacks have been attributed to a Russian-speaking APT gang known as Pawn Storm, also known as APT 28 and Tsar Team, by researchers at Trend Micro. Past targets have included NATO, Eastern European government agencies, diplomatic interests, and critical industries including nuclear, telecommunications and the defense industrial base.\n\nPawn Storm\u2019s arsenal is not limited to Flash exploits. They\u2019ve also used Microsoft Office zero days, and a Java zero day, the first publicly exploited in Java since 2013. The Java flaw was patched in July by Oracle.\n\nAdobe did not share many details on the vulnerability, CVE-2015-7645, other than an exploit could cause a crash and allow an attacker to remotely control the compromised computer.\n\nIn addition to Windows and Mac versions, Adobe is expected next week to also patch Adobe Flash Player Extended Support Release version 18.0.0.252 and earlier 18.x versions, and Adobe Flash Player 11.2.202.535 and earlier 11.x versions for Linux.\n\nAccording to Trend researchers, the current exploits against the Flash zero day are being spread in spear phishing emails with relevant political or military themed subject lines. The emails contain links to websites hosting the zero day exploit.\n\nEarlier this year, [Pawn Storm dropped as many as six zero days](<https://threatpost.com/office-java-patches-erase-latest-apt-28-zero-days/113825/>) in targeted attacks carried out over a four-month period. Experts said this behavior is unusual given the value of zero days in commercial and underground markets. Researchers at iSight Partners told Threatpost that five of the six zero days used earlier this year were developed by the Pawn Storm gang, with the sixth a repurposed attack against Flash revealed in the breach against Hacking Team.\n\nAs recently as August, Pawn Storm surfaced again when it was discovered that a [phony domain purportedly belonging to the Electronic Frontier Foundation](<https://threatpost.com/latest-apt-28-campaign-incorporates-fake-eff-spearphishing-scam/114462/>) was registered and used in spear phishing attacks pushing the patched Java zero day.\n\nThe EFF said at the time that the path and filename used in the exploit are the same as those used in other attacks carried out by Pawn Storm, particularly Sednit. The Sednit payload, which was analyzed earlier this summer, downloads a .DLL file, which is executed and opens a backdoor to several attacker-controlled domains that exfiltrate data.\n", "modified": "2015-10-21T14:55:26", "published": "2015-10-15T11:29:43", "id": "THREATPOST:2014CF1D3A9B6656582E85B2174C7896", "href": "https://threatpost.com/emergency-adobe-flash-update-coming-next-week/115050/", "type": "threatpost", "title": "Emergency Adobe Flash Player Security Update", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:15", "bulletinFamily": "info", "description": "Despite [a marked decrease in activity](<https://threatpost.com/where-have-all-the-exploit-kits-gone/124241/>), exploit kits haven\u2019t completely disappeared just yet. The Neptune, or Terror Exploit Kit, is alive and well; during the last month, researchers have observed the kit as part of a campaign to abuse a legitimate popup ad service to drop cryptocurrency miners.\n\nResearchers with FireEye [said Tuesday](<https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html>) the kit has been redirecting victims with popups from fake hiking ads to exploit kit landing pages and in turn to HTML and Adobe Flash exploits. Researchers elected not to disclose the name of the popup ad service, but stressed that it\u2019s within Alexa\u2019s top 100.\n\nThe landing pages run a handful of exploits, including three targeting Internet Explorer (CVE-2016-0189, CVE-2015-2419, CVE-2014-6332) and two targeting Flash (CVE-2015-8651, CVE-2015-7645).\n\nAccording to FireEye researchers Zain Gardezi and Manish Sardiwal, the malvertising redirects are mimicking the domains of actual hiking sites, and in some instances sites that allow users to convert YouTube videos to MP3s. Once redirected, the ads, most which appear on high-traffic torrent and multimedia hosting sites, drop a Monero miner.\n\nMonero, an open source cryptocurrency that bills itself as \u201csecure, private, and untraceable\u201d has caught on with cybercriminals over the last several months.\n\nOne cryptocurrency miner [Adylkuzz](<https://threatpost.com/wannacry-shares-code-with-lazarus-apt-samples/125718/>) was spotted in April using the same NSA Eternal Blue exploit and DoublePulsar rootkit that spread WannaCry, to infect computers and mine Monero.\n\nAccording to FireEye, for the new Neptune EK campaign a uniform resource identifier (URI) belonging to the exploit kit domain has been dropping the payload as a plain executable. After a machine has been infected, attempts are made to log in to minergate[.]com, a cryptocurrency GUI miner and mining pool, with the attacker\u2019s email address.\n\nResearchers noticed this campaign on July 16 and were able to pin it on changes in the kit\u2019s URI patterns.\n\nSpreading resource intensive cryptocurrency miners helps attackers raise small amounts of money that can potentially be used to fund other future attacks.\n\n[Attackers in June](<https://threatpost.com/attackers-mining-cryptocurrency-using-exploits-for-samba-vulnerability/126191/>) used an exploit for a Samba vulnerability patched in May to spread payloads that spread Monero miners. Researchers with Kaspersky Lab who discovered the operation said that attackers hardcoded their wallet and pool address into the attack and managed to raise $6,000 USD via the campaign.\n\nThe vulnerabilities that Neptune uses are dated; in fact Microsoft fixed one of them in November 2014, CVE-2014-6332, which could have allowed remote code execution via Windows OLE vulnerabilities. Gardezi and Sardiwal warn that users running out-of-date or unpatched software could still be at risk, especially as drive-by download kits such as Neptune have taken a shine to using malvertisements to push malicious downloads of late.\n\nSimilar to Sundown, the Neptune/Terror exploit kit is one of several that popped up following Angler\u2019s disappearance in 2016. Researchers said [in May earlier this year](<https://threatpost.com/terror-exploit-kit-evolves-into-larger-threat/125816/>) that the kit had adopted new anti-detection features and slowly evolved into a threat.\n", "modified": "2017-08-22T21:51:58", "published": "2017-08-22T17:51:58", "id": "THREATPOST:3F20438316043C71AAD9C85191711EEE", "href": "https://threatpost.com/neptune-exploit-kit-dropping-cryptocurrency-miners-through-malvertisements/127591/", "type": "threatpost", "title": "Neptune Exploit Kit Dropping Cryptocurrency Miners Through Malvertisements", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:23", "bulletinFamily": "info", "description": "A nasty Adobe Flash zero-day vulnerability that was remediated in an [emergency update in October 2015](<https://threatpost.com/emergency-adobe-flash-zero-day-patch-arrives-ahead-of-schedule/115073/>) was thereafter co-opted by seven exploit kits, according to an analysis published today by researchers at Recorded Future.\n\nThe Adobe vulnerability, CVE-2015-7645, was also used by the Russian APT group known as APT 28, which laced spear phishing emails with exploits targeting foreign affairs ministries worldwide. APT 28, also known as Sofacy, frequently targets NATO-allied political targets and in November was [singled out by Microsoft](<https://threatpost.com/microsoft-says-russian-apt-group-behind-zero-day-attacks/121722/>) for using separate Flash and Windows zero days in targeted attacks this year.\n\nThe Flash bug was among the first to be used after Adobe implemented new mitigations into the software to combat memory-based attacks. Despite the improvements in Flash security, attackers still take a shine to these exploits.\n\nRecorded Future\u2019s report \u201c[New Kit, Same Player](<https://www.recordedfuture.com/top-vulnerabilities-2016/>)\u201d says that six of the top 10 vulnerabilities used in exploit kits were Flash Player bugs, followed by Internet Explorer, Windows and Silverlight exploits. None of this year\u2019s top 10 vulnerabilities were present in a similar analysis done last year.\n\nExploit kits, meanwhile, have been reduced in prominence since the disappearance of a number of popular kits, including Angler and Nuclear. Angler, in particular, was particularly popular with criminals; it was updated frequently and sold in a number of underground forums. The June arrest of a Russian cybercrime outfit behind the Lurk Trojan, however, spelled the end of days for Angler. Researchers at Kaspersky Lab [confirmed the connection](<https://securelist.com/analysis/publications/75944/the-hunt-for-lurk/>) between the [Lurk gang and Angler](<https://threatpost.com/inside-the-demise-of-the-angler-exploit-kit/120222/>) distribution in an August report.\n\nNonetheless, exploit kits remain a threat and a vehicle for attacks that include ransomware, click fraud and adware. Victims are compromised in a number of ways, including drive-by attacks, malvertising or links in emails, all of which direct the victim\u2019s browser to the exploit kit\u2019s landing page. Code on the page determines the browser being used and launches the exploit mostly likely to hit paydirt.\n\nCVE-2015-7645 was found in Angler, as well as in Neutrino, Magnitude, RIG, Nuclear Pack, Spartan and Hunter. It, by far, had the highest penetration into exploits kits, according to Recorded Future.\n\nBut since Angler\u2019s demise earlier this year, Sundown has risen to a measure of prominence with its maintainers updating the kit often with new exploits. Sundown\u2019s payload, however, differs in that it drops banking Trojans on users\u2019 machines. Recorded Future said this kit also relies on domain shadowing more than its counterparts in order to register subdomains that are used to host attacks.\n\nSundown also contained CVE-2016-0189, an [Internet Explorer bug](<https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/>) used in targeted attacks against South Korean organizations earlier this year. Microsoft patched it in July, but already it had been used by Neutrino as well. The IE bug, Recorded Future said, was the top flaw found in exploit kits, referenced more than 600 times. CVE-2016-1019 and CVE-2016-4117, two other Flash Player bugs, round out the top three. [CVE-2016-4117](<https://securelist.com/blog/research/75100/operation-daybreak/>) was used by the [ScarCruft APT group](<https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/>), Kaspersky Lab researchers said in June, in watering hole attacks.\n", "modified": "2016-12-07T14:36:02", "published": "2016-12-06T13:58:56", "id": "THREATPOST:190D2D4CC706E0CF894B62979A2DA309", "href": "https://threatpost.com/flash-exploit-found-in-seven-exploit-kits/122284/", "type": "threatpost", "title": "Flash Exploit Found in Seven Exploit Kits", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:17:47", "bulletinFamily": "info", "description": "[](<https://3.bp.blogspot.com/-fFxjMSmZPAQ/ViIOfP49sdI/AAAAAAAAk34/s6WMVcudSwA/s1600/adobe-flash-player-patch.png>)\n\nTwo days ago, _The Hacker News (THN)_ reported about the [Zero-day vulnerability](<https://thehackernews.com/2015/10/flash-player-exploit.html>) in the freshly patched _**Adobe Flash Player**_. The vulnerability was exploited in the wild by a well-known group of Russian hackers, named \"**Pawn Storm**,\" to target several foreign affairs ministries worldwide.\n\n \n\n\nThe zero-day flaw allowed hackers to have complete control of the users' machine, potentially putting all the Flash Player users at a potentially high risk.\n\n \n\n\nSince then, there was no patch available to make flawed utility safe.\n\n \n\n\nHowever, Adobe has now patched the zero-day vulnerability, along with some critical vulnerabilities whose details are yet to be disclosed. \n\n \n\n\nYesterday, the company published a post on their official security bulletin ([APSB15-27](<https://helpx.adobe.com/security/products/flash-player/apsb15-27.html>)) detailing the risks associated with the zero-day and how a user can get rid of them.\n\n \n\n\nThe critical vulnerabilities are assigned following CVE numbers:\n\n * _CVE-2015-7645_\n * _CVE-2015-7647_\n * _CVE-2015-7648_\n\nAlso, Adobe is known to the fact that the hackers had exploited the zero-day flaw (CVE-2015-7645) for conducting limited, targeted attacks. Therefore, it gets CVSS severity score of 9.3 (High), measured by [National Vulnerability Database](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7645>) (NVD).\n\n \n\n\n### Affected Versions and Software\n\n \n\n\nThe zero-day flaw was such that it affected:\n\n * Adobe Flash Player 18.x through 18.0.0.252 on Microsoft's Windows and Mac OS X.\n * Adobe Flash Player 19.x through 19.0.0.207 on Microsoft's Windows and Mac OS X.\n * Adobe Flash Player 11.x through 11.2.202.535 on Linux.\n\nFurther as an outcome, the zero-day allowed intruders to remotely execute some random code through a crafted SWF (**Small Web Format**) file, which is an Adobe Flash File format for efficient delivery of video and audio over the web.\n\n \n\n\nSimultaneously, with the patch Adobe also lists out several affected Adobe Flash products namely:\n\n 1. Adobe Flash Player Desktop Runtime\n 2. Adobe Flash Player Extended Support Release\n 3. Adobe Flash Player for Google Chrome\n 4. Adobe Flash Player for Google Chrome\n 5. Adobe Flash Player for Microsoft Edge and Internet Explorer 11\n 6. Adobe Flash Player for Internet Explorer 10 and 11\n 7. Adobe Flash Player for Linux\n\nAlso, Adobe and its PSIRT (_Product Security Incident Response Team_) thanked **Trend Micro** and **Google Project Zero **for detection and analysis of exploit and vulnerability research respectively. \n\n \n\n\nTo conclude, with all the serious cyber attacks targeting Adobe Flash Player in the past and present; Flash must go away!\n\n \n\n\nAs this time also, the foreign affairs ministries are falling prey to dangerous \"**Phishing attacks**,\" where the victims are getting emails with subjects containing current happenings and the message contains a link (URL) that redirects the victim to the exploit set up by an attacker.\n\n \n\n\n### Time to Say Good Bye to Flash\n\n \n\n\nIt is been 20 years that Adobe Flash is making the Web a slightly more interesting and interactive place. But\u2026\n\n \n\n\n...within three months this year (Since July- till date) Adobe Flash player has been a regular on the bulletin board with many Unknown vulnerabilities discovered and exploitable in it.\n\n \n\n\nMoreover, in return putting many users at risk.\n\n \n\n\nAt the beginning of this year, YouTube moved away from Flash for delivering videos. Moreover, Firefox also blocked the Flash plugin entirely.\n\n \n\n\nFacebook's Security Chief publicly called for Adobe to announce a '**kill-date for Flash**.' Google Chrome has also begun blocking auto-playing Flash ads by default.\n\n \n\n\nTherefore, if you want your information to stay only with you then say \"**Good Bye to Flash**.\"\n", "modified": "2015-10-17T09:06:10", "published": "2015-10-16T22:06:00", "id": "THN:99BDD62C6BCF9B3765B670679C0892A8", "href": "https://thehackernews.com/2015/10/flash-patch-update.html", "type": "thn", "title": "Emergency Patch released for Latest Flash Zero-Day Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:06:44", "bulletinFamily": "info", "description": "[](<https://2.bp.blogspot.com/-teJKybQr1do/ViShYRZUVUI/AAAAAAAAk40/O1Gi32kPpAM/s1600/hacking-news-weekly-updates.png>)\n\nWe are back with **THN Weekly RoundUp** to spread lights on last week's top cyber security threats and challenges, just in case you missed any of them (ICYMI).\n\n \n\n\nLast week, we came to know about many security threats including how [Google records and stores our Voice](<https://thehackernews.com/2015/10/ok-google-voice-record.html>) searches, How hackers can use Radio-waves to [control our Smartphones](<https://thehackernews.com/2015/10/radio-wave-phone-hack.html>) from 16 feet away and How did the [NSA break Trillions of Encrypted](<https://thehackernews.com/2015/10/nsa-crack-encryption.html>) connections.\n\n \n\n\nAlso, some of last week's news included [USB Killer v2.0](<https://thehackernews.com/2015/10/usb-killer.html>) and a real-life [Thor-like Hammer](<https://thehackernews.com/2015/10/electromagnetic-thor-hammer.html>).\n\n \n\n\nI recommend you to read the entire news (just click '**Read More**' because there's some valuable advice in there as well).\n\n \n\n\nHere's the list:\n\n \n\n\n### 1\\. Google OnHub Router Runs on Chrome OS; Here's How to Root it\n\n \n\n\nGoogle [OnHub Router runs Chrome](<https://thehackernews.com/2015/10/root-google-onhub-chromeos.html>) operating system, the same Linux-based OS that powers Google Chromebook laptops and desktops.\n\n \n\n\n[Google OnHub](<https://thehackernews.com/2015/08/google-onhub-wifi-router.html>) is a modern wireless router designed by Google and TP-Link. It operates networks on both the 2.4GHz &amp; 5GHz frequency bands simultaneously and offers the speed of up to 1900 Mbps.\n\n \n\n\nUnlike other traditional Broadband Routers, OnHub is designed to support \"The Internet of Things\" and other Smart devices, including Smartphones, Smart TVs, and Computers.\n\n \n\n\nTo know how to Root Google OnHub Router, [Read More](<https://thehackernews.com/2015/10/root-google-onhub-chromeos.html>)\u2026 \n\n \n\n\n### 2\\. USB Killer v2.0 \u2014 USB Device that Can Easily Burn Your PC\n\n \n\n\nAfter developing [Killer USB](<https://thehackernews.com/2015/03/killer-usb-explode-computer.html>) back in March, a Russian security researcher, nicknamed Dark Purple, has launched a new version of the computer frying USB Killer pen drive \u2013 USB Killer version 2.0.\n\n \n\n\n[USB Killer 2.0](<https://thehackernews.com/2015/10/usb-killer.html>) is much stronger than Killer USB and is capable to \"kill\" more than just a computer it is plugged in.\n\n \n\n\nTo know how USB Killer 2.0 can kill your PC, [Read More](<https://thehackernews.com/2015/10/usb-killer.html>)\u2026 \n\n \n\n\n### 3\\. Google Records and Stores Your Voice \u2014 But Thankfully You can Delete it\n\n[](<https://3.bp.blogspot.com/-S2KJ8OwTur4/ViSmtYqekII/AAAAAAAAk5E/crlt4AQi52I/s1600/google.png>)\n\nYes, Google isn't just listening to you, but the search engine is also recording and [storing every single voice](<https://thehackernews.com/2015/10/ok-google-voice-record.html>) search you make using its voice-activated assistant Google's Voice Search and search feature Google Now.\n\n \n\n\nYou can listen to your own voice recording by visiting \"[Voice &amp; Audio Activity](<https://history.google.com/history/audio?hl=en&ent=r&utm_source=udc>)\" page in the Google Dashboard.\n\n \n\n\nTo know more about how is Google recording your voice searches and how you can delete them, [Read More](<https://thehackernews.com/2015/10/ok-google-voice-record.html>)\u2026 \n\n \n\n\n### 4\\. Engineer Built A Thor-Like Hammer that Only He Can Pick Up\n\n \n\n\nInspired by Thor's legendary hammer **Mjolnir**, an electrical engineer has devised a [real-life Mjolnir ](<https://thehackernews.com/2015/10/electromagnetic-thor-hammer.html>)that is not liftable by anyone except him. \n\n \n\n\nWith only a little bit of programming, **Allen Pan **created a giant hammer that only he can lift, as long as the hammer is on a metal surface.\n\n \n\n\nTo watch the video and know how Pan made it work, [Read More](<https://thehackernews.com/2015/10/electromagnetic-thor-hammer.html>)\u2026 \n\n \n\n\n### 5\\. Hackers Can Use Radio-waves to Control Your Smartphone From 16 Feet Away\n\n \n\n\nResearchers from French government agency ANSSI have discovered a [new hack](<https://thehackernews.com/2015/10/radio-wave-phone-hack.html>) that could allow hackers to make calls, send texts, browser a malware site, and do many more activities using\u2026\n\n \n\n\n\u2026your iOS or Android devices' personal assistant **Siri** or **Google Now** \u2014 without even speaking a single word.\n\n \n\n\nThis mind-blowing hack utilizes a radio transmitter to remotely and silently transmit radio commands to iOS or Android smartphone from as far as 16 feet away only if it has a pair of headphones plugged into its jack.\n\n \n\n\nTo watch the video demonstration and know how hackers can make it possible, [Read More](<https://thehackernews.com/2015/10/radio-wave-phone-hack.html>)\u2026 \n\n \n\n\n### 6\\. Windows 10 Upgrade Become More Aggressive, No Option to Opt-Out\n\n[](<https://4.bp.blogspot.com/-cflCOW3HT2M/ViDHKRZgDiI/AAAAAAAAk24/p8qO-m8C4pQ/s1600/windows-10-upgrade-free.png>)\n\nLast week, Microsoft was caught forcing its users running Windows 7 and Windows 8/8.1 to install Windows 10 on their PCs, giving them no option to cancel or opt-out of upgrading.\n\n \n\n\nSome Windows 7 and Windows 8.1 users claimed last week that [Windows 10 began to automatically install](<https://thehackernews.com/2015/10/windows-10-upgrade.html>) itself on their PCs and\u2026\n\n \n\n\n\u2026users were presented a message displaying that the \"**Upgrade to Windows 10 is Ready**,\" which prompted them to \"**Restart your PC to begin the installation**.\"\n\n \n\n\nFor in-depth information about the issue, [Read More](<https://thehackernews.com/2015/10/windows-10-upgrade.html>)\u2026 \n\n \n\n\n### 7\\. World's First Anti-Drone Weapon to Shoot Down UAVs with Radio Waves\n\n \n\n\nThe US company Battelle has developed a shoulder-mounted rifle, dubbed [DroneDefender](<https://thehackernews.com/2015/10/drone-defender-gun.html>), which is specially designed to knock drones out of the sky at a range of 400 meters, without purposefully damaging them.\n\n \n\n\n**DroneDefender** uses radio waves to neutralize in-flight Drones and force them to either land or hover in its position or return to its point of origin.\n\n \n\n\nTo watch the video that shows how the weapon causes the drone to land and to know how DroneDefender works, [Read More](<https://thehackernews.com/2015/10/drone-defender-gun.html>)\u2026 \n\n \n\n\n### 8\\. How NSA successfully Broke Trillions of Encrypted Connections\n\n \n\n\nEveryone is aware of the United States National Security Agency (NSA) powers to [break almost all types of encryption](<https://thehackernews.com/2015/10/nsa-crack-encryption.html>) used on the Internet and intercept nearly Trillions of Internet connections\u2026 \n\n \n\n\n\u2026exactly how did the agency apparently intercept VPN connections, and decrypt SSH and HTTPS has been a mystery until the researchers spread lights on the most plausible theory.\n\n \n\n\nAccording to researchers, the NSA has exploited the weakness in the standard implementations of the Diffie-Hellman algorithm \u2013 a common means of exchanging cryptographic keys over untrusted channels \u2013 to decrypt a vast number of HTTPS, SSH, and VPN connections.\n\n \n\n\nFor in-depth information, [Read More](<https://thehackernews.com/2015/10/nsa-crack-encryption.html>)\u2026 \n\n \n\n\n### 9\\. ISIS Hacker Arrested in Malaysia\n\n[](<https://1.bp.blogspot.com/-7Snuabta_4g/ViH7YUGJgOI/AAAAAAAAk3o/TS0-6PY2DVs/s1600/ISIS-Hacker-Terrorists-Arrested.png>)\n\nKosovo citizen [Ardit Ferizi has been arrested](<https://thehackernews.com/2015/10/isis-hacker.html>) for allegedly hacking into the United States web hosting company's servers, stealing personal data of more than 1,300 US government and military employees, and then passing that data to an ISIS member.\n\n \n\n\nFerizi allegedly handed the hacked information over to Junaid Hussain (or Abu Hussain Al-Britani), an ISIS hacker who was [killed in a United States drone strike](<https://thehackernews.com/2015/08/british-isis-hacker-killed-in-us.html>) in August.\n\n \n\n\nFor detail information, [Read More](<https://thehackernews.com/2015/10/isis-hacker.html>)\u2026 \n\n \n\n\n### 10\\. Adobe Releases Emergency Patch for Recent Flash Zero-Day Flaw\n\n[](<https://3.bp.blogspot.com/-79CHJj4VjJk/ViSnA3bjFTI/AAAAAAAAk5M/DTPi6MiaF5o/s1600/adobe-flash-player.png>)\n\nThe [Zero-day vulnerability](<https://thehackernews.com/2015/10/flash-player-exploit.html>) in the freshly patched **Adobe Flash Player** \u2013 which was exploited in the wild by \"**Pawn Storm**\" hacking group to target several foreign affairs ministries worldwide \u2013 has now been patched by the company.\n\n \n\n\nThe zero-day flaw ([CVE-2015-7645](<https://thehackernews.com/2015/10/flash-player-exploit.html>)) allowed hackers to remotely execute random code on the affected system via a crafted SWF (Small Web Format) file, an Adobe Flash File format for efficient delivery of video and audio over the web.\n\n \n\n\nFor in-depth information, [Read More](<https://thehackernews.com/2015/10/flash-patch-update.html>)\u2026\n", "modified": "2015-10-19T11:52:28", "published": "2015-10-18T21:18:00", "id": "THN:D54E86215DEA786A1CA3FE1849BB230B", "href": "https://thehackernews.com/2015/10/latest-hacking-news.html", "type": "thn", "title": "THN Weekly Roundup \u2014 Top 10 Hacking News Stories You Shouldn\u2019t Miss", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2018-03-13T20:24:11", "bulletinFamily": "software", "description": "### Description\n\nAdobe Flash Player is prone to an unspecified remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected applications. Failed exploit attempts will likely cause a denial-of-service condition. The following versions are affected: Adobe Flash Player 19.0.0.207 and prior. Adobe Flash Player 11.2.202.535 and prior 11.x versions. Adobe Flash Player 18.0.0.252 and prior 18.x versions. Note: This issue was previously titled 'Adobe Flash Player CVE-2015-7645 Unspecified Remote Code Execution Vulnerability'. The title and technical details have been changed to better reflect the underlying component affected.\n\n### Technologies Affected\n\n * Adobe Flash Player 10 \n * Adobe Flash Player 10.0.0.584 \n * Adobe Flash Player 10.0.12 .35 \n * Adobe Flash Player 10.0.12 .36 \n * Adobe Flash Player 10.0.12.10 \n * Adobe Flash Player 10.0.15 .3 \n * Adobe Flash Player 10.0.2.54 \n * Adobe Flash Player 10.0.22.87 \n * Adobe Flash Player 10.0.32 18 \n * Adobe Flash Player 10.0.32.18 \n * Adobe Flash Player 10.0.42.34 \n * Adobe Flash Player 10.0.45 2 \n * Adobe Flash Player 10.1 \n * Adobe Flash Player 10.1.102.64 \n * Adobe Flash Player 10.1.102.65 \n * Adobe Flash Player 10.1.105.6 \n * Adobe Flash Player 10.1.106.16 \n * Adobe Flash Player 10.1.106.17 \n * Adobe Flash Player 10.1.51.66 \n * Adobe Flash Player 10.1.52.14 \n * Adobe Flash Player 10.1.52.14.1 \n * Adobe Flash Player 10.1.52.15 \n * Adobe Flash Player 10.1.53.64 \n * Adobe Flash Player 10.1.82.76 \n * Adobe Flash Player 10.1.85.3 \n * Adobe Flash Player 10.1.92.10 \n * Adobe Flash Player 10.1.92.8 \n * Adobe Flash Player 10.1.95.1 \n * Adobe Flash Player 10.1.95.2 \n * Adobe Flash Player 10.2.152 \n * Adobe Flash Player 10.2.152.21 \n * Adobe Flash Player 10.2.152.26 \n * Adobe Flash Player 10.2.152.32 \n * Adobe Flash Player 10.2.152.33 \n * Adobe Flash Player 10.2.153.1 \n * Adobe Flash Player 10.2.154.13 \n * Adobe Flash Player 10.2.154.18 \n * Adobe Flash Player 10.2.154.24 \n * Adobe Flash Player 10.2.154.25 \n * Adobe Flash Player 10.2.154.27 \n * Adobe Flash Player 10.2.154.28 \n * Adobe Flash Player 10.2.156.12 \n * Adobe Flash Player 10.2.157.51 \n * Adobe Flash Player 10.2.159.1 \n * Adobe Flash Player 10.3.181.14 \n * Adobe Flash Player 10.3.181.16 \n * Adobe Flash Player 10.3.181.22 \n * Adobe Flash Player 10.3.181.23 \n * Adobe Flash Player 10.3.181.26 \n * Adobe Flash Player 10.3.181.34 \n * Adobe Flash Player 10.3.183.10 \n * Adobe Flash Player 10.3.183.11 \n * Adobe Flash Player 10.3.183.15 \n * Adobe Flash Player 10.3.183.16 \n * Adobe Flash Player 10.3.183.18 \n * Adobe Flash Player 10.3.183.19 \n * Adobe Flash Player 10.3.183.20 \n * Adobe Flash Player 10.3.183.23 \n * Adobe Flash Player 10.3.183.25 \n * Adobe Flash Player 10.3.183.29 \n * Adobe Flash Player 10.3.183.4 \n * Adobe Flash Player 10.3.183.43 \n * Adobe Flash Player 10.3.183.48 \n * Adobe Flash Player 10.3.183.5 \n * Adobe Flash Player 10.3.183.50 \n * Adobe Flash Player 10.3.183.51 \n * Adobe Flash Player 10.3.183.61 \n * Adobe Flash Player 10.3.183.63 \n * Adobe Flash Player 10.3.183.67 \n * Adobe Flash Player 10.3.183.68 \n * Adobe Flash Player 10.3.183.7 \n * Adobe Flash Player 10.3.183.75 \n * Adobe Flash Player 10.3.183.86 \n * Adobe Flash Player 10.3.185.21 \n * Adobe Flash Player 10.3.185.22 \n * Adobe Flash Player 10.3.185.23 \n * Adobe Flash Player 10.3.185.24 \n * Adobe Flash Player 10.3.185.25 \n * Adobe Flash Player 10.3.186.2 \n * Adobe Flash Player 10.3.186.3 \n * Adobe Flash Player 10.3.186.6 \n * Adobe Flash Player 10.3.186.7 \n * Adobe Flash Player 11 \n * Adobe Flash Player 11.0 \n * Adobe Flash Player 11.0.1.129 \n * Adobe Flash Player 11.0.1.152 \n * Adobe Flash Player 11.0.1.153 \n * Adobe Flash Player 11.0.1.60 \n * Adobe Flash Player 11.0.1.98 \n * Adobe Flash Player 11.1 \n * Adobe Flash Player 11.1.102.228 \n * Adobe Flash Player 11.1.102.55 \n * Adobe Flash Player 11.1.102.59 \n * Adobe Flash Player 11.1.102.62 \n * Adobe Flash Player 11.1.102.63 \n * Adobe Flash Player 11.1.111.10 \n * Adobe Flash Player 11.1.111.44 \n * Adobe Flash Player 11.1.111.5 \n * Adobe Flash Player 11.1.111.50 \n * Adobe Flash Player 11.1.111.54 \n * Adobe Flash Player 11.1.111.6 \n * Adobe Flash Player 11.1.111.64 \n * Adobe Flash Player 11.1.111.7 \n * Adobe Flash Player 11.1.111.73 \n * Adobe Flash Player 11.1.111.8 \n * Adobe Flash Player 11.1.111.9 \n * Adobe Flash Player 11.1.112.61 \n * Adobe Flash Player 11.1.115.11 \n * Adobe Flash Player 11.1.115.34 \n * Adobe Flash Player 11.1.115.48 \n * Adobe Flash Player 11.1.115.54 \n * Adobe Flash Player 11.1.115.58 \n * Adobe Flash Player 11.1.115.59 \n * Adobe Flash Player 11.1.115.6 \n * Adobe Flash Player 11.1.115.63 \n * Adobe Flash Player 11.1.115.69 \n * Adobe Flash Player 11.1.115.7 \n * Adobe Flash Player 11.1.115.8 \n * Adobe Flash Player 11.1.115.81 \n * Adobe Flash Player 11.2.202 238 \n * Adobe Flash Player 11.2.202.160 \n * Adobe Flash Player 11.2.202.197 \n * Adobe Flash Player 11.2.202.221 \n * Adobe Flash Player 11.2.202.223 \n * Adobe Flash Player 11.2.202.228 \n * Adobe Flash Player 11.2.202.229 \n * Adobe Flash Player 11.2.202.233 \n * Adobe Flash Player 11.2.202.235 \n * Adobe Flash Player 11.2.202.236 \n * Adobe Flash Player 11.2.202.238 \n * Adobe Flash Player 11.2.202.243 \n * Adobe Flash Player 11.2.202.251 \n * Adobe Flash Player 11.2.202.258 \n * Adobe Flash Player 11.2.202.261 \n * Adobe Flash Player 11.2.202.262 \n * Adobe Flash Player 11.2.202.270 \n * Adobe Flash Player 11.2.202.273 \n * Adobe Flash Player 11.2.202.275 \n * Adobe Flash Player 11.2.202.280 \n * Adobe Flash Player 11.2.202.285 \n * Adobe Flash Player 11.2.202.291 \n * Adobe Flash Player 11.2.202.297 \n * Adobe Flash Player 11.2.202.310 \n * Adobe Flash Player 11.2.202.327 \n * Adobe Flash Player 11.2.202.332 \n * Adobe Flash Player 11.2.202.335 \n * Adobe Flash Player 11.2.202.336 \n * Adobe Flash Player 11.2.202.341 \n * Adobe Flash Player 11.2.202.346 \n * Adobe Flash Player 11.2.202.350 \n * Adobe Flash Player 11.2.202.356 \n * Adobe Flash Player 11.2.202.359 \n * Adobe Flash Player 11.2.202.378 \n * Adobe Flash Player 11.2.202.394 \n * Adobe Flash Player 11.2.202.400 \n * Adobe Flash Player 11.2.202.406 \n * Adobe Flash Player 11.2.202.411 \n * Adobe Flash Player 11.2.202.418 \n * Adobe Flash Player 11.2.202.424 \n * Adobe Flash Player 11.2.202.425 \n * Adobe Flash Player 11.2.202.429 \n * Adobe Flash Player 11.2.202.438 \n * Adobe Flash Player 11.2.202.440 \n * Adobe Flash Player 11.2.202.442 \n * Adobe Flash Player 11.2.202.451 \n * Adobe Flash Player 11.2.202.457 \n * Adobe Flash Player 11.2.202.460 \n * Adobe Flash Player 11.2.202.466 \n * Adobe Flash Player 11.2.202.468 \n * Adobe Flash Player 11.2.202.481 \n * Adobe Flash Player 11.2.202.491 \n * Adobe Flash Player 11.2.202.508 \n * Adobe Flash Player 11.2.202.521 \n * Adobe Flash Player 11.2.202.535 \n * Adobe Flash Player 11.2.202.95 \n * Adobe Flash Player 11.3.300.214 \n * Adobe Flash Player 11.3.300.231 \n * Adobe Flash Player 11.3.300.250 \n * Adobe Flash Player 11.3.300.257 \n * Adobe Flash Player 11.3.300.262 \n * Adobe Flash Player 11.3.300.265 \n * Adobe Flash Player 11.3.300.268 \n * Adobe Flash Player 11.3.300.270 \n * Adobe Flash Player 11.3.300.271 \n * Adobe Flash Player 11.3.300.273 \n * Adobe Flash Player 11.3.31.230 \n * Adobe Flash Player 11.3.378.5 \n * Adobe Flash Player 11.4.400.231 \n * Adobe Flash Player 11.4.402.265 \n * Adobe Flash Player 11.4.402.278 \n * Adobe Flash Player 11.4.402.287 \n * Adobe Flash Player 11.5.500.80 \n * Adobe Flash Player 11.5.502.110 \n * Adobe Flash Player 11.5.502.118 \n * Adobe Flash Player 11.5.502.124 \n * Adobe Flash Player 11.5.502.131 \n * Adobe Flash Player 11.5.502.135 \n * Adobe Flash Player 11.5.502.136 \n * Adobe Flash Player 11.5.502.146 \n * Adobe Flash Player 11.5.502.149 \n * Adobe Flash Player 11.6.602.105 \n * Adobe Flash Player 11.6.602.167 \n * Adobe Flash Player 11.6.602.168 \n * Adobe Flash Player 11.6.602.171 \n * Adobe Flash Player 11.6.602.180 \n * Adobe Flash Player 11.7.700.169 \n * Adobe Flash Player 11.7.700.202 \n * Adobe Flash Player 11.7.700.203 \n * Adobe Flash Player 11.7.700.224 \n * Adobe Flash Player 11.7.700.225 \n * Adobe Flash Player 11.7.700.232 \n * Adobe Flash Player 11.7.700.242 \n * Adobe Flash Player 11.7.700.252 \n * Adobe Flash Player 11.7.700.257 \n * Adobe Flash Player 11.7.700.260 \n * Adobe Flash Player 11.7.700.261 \n * Adobe Flash Player 11.7.700.269 \n * Adobe Flash Player 11.7.700.272 \n * Adobe Flash Player 11.7.700.275 \n * Adobe Flash Player 11.7.700.279 \n * Adobe Flash Player 11.8.800.168 \n * Adobe Flash Player 11.8.800.170 \n * Adobe Flash Player 11.8.800.94 \n * Adobe Flash Player 11.8.800.97 \n * Adobe Flash Player 11.9.900.117 \n * Adobe Flash Player 11.9.900.152 \n * Adobe Flash Player 11.9.900.170 \n * Adobe Flash Player 12 \n * Adobe Flash Player 12.0.0.38 \n * Adobe Flash Player 12.0.0.41 \n * Adobe Flash Player 12.0.0.43 \n * Adobe Flash Player 12.0.0.44 \n * Adobe Flash Player 12.0.0.70 \n * Adobe Flash Player 12.0.0.77 \n * Adobe Flash Player 13.0.0.182 \n * Adobe Flash Player 13.0.0.201 \n * Adobe Flash Player 13.0.0.206 \n * Adobe Flash Player 13.0.0.214 \n * Adobe Flash Player 13.0.0.223 \n * Adobe Flash Player 13.0.0.231 \n * Adobe Flash Player 13.0.0.241 \n * Adobe Flash Player 13.0.0.244 \n * Adobe Flash Player 13.0.0.250 \n * Adobe Flash Player 13.0.0.252 \n * Adobe Flash Player 13.0.0.258 \n * Adobe Flash Player 13.0.0.259 \n * Adobe Flash Player 13.0.0.260 \n * Adobe Flash Player 13.0.0.262 \n * Adobe Flash Player 13.0.0.264 \n * Adobe Flash Player 13.0.0.269 \n * Adobe Flash Player 13.0.0.277 \n * Adobe Flash Player 13.0.0.281 \n * Adobe Flash Player 13.0.0.289 \n * Adobe Flash Player 13.0.0.292 \n * Adobe Flash Player 13.0.0.296 \n * Adobe Flash Player 13.0.0.302 \n * Adobe Flash Player 13.0.0.309 \n * Adobe Flash Player 14.0.0.125 \n * Adobe Flash Player 14.0.0.145 \n * Adobe Flash Player 14.0.0.176 \n * Adobe Flash Player 14.0.0.177 \n * Adobe Flash Player 14.0.0.179 \n * Adobe Flash Player 15.0.0.152 \n * Adobe Flash Player 15.0.0.189 \n * Adobe Flash Player 15.0.0.223 \n * Adobe Flash Player 15.0.0.239 \n * Adobe Flash Player 15.0.0.242 \n * Adobe Flash Player 15.0.0.246 \n * Adobe Flash Player 16.0.0.234 \n * Adobe Flash Player 16.0.0.235 \n * Adobe Flash Player 16.0.0.257 \n * Adobe Flash Player 16.0.0.287 \n * Adobe Flash Player 16.0.0.291 \n * Adobe Flash Player 16.0.0.296 \n * Adobe Flash Player 16.0.0.305 \n * Adobe Flash Player 17.0.0.134 \n * Adobe Flash Player 17.0.0.169 \n * Adobe Flash Player 17.0.0.188 \n * Adobe Flash Player 18.0.0.143 \n * Adobe Flash Player 18.0.0.160 \n * Adobe Flash Player 18.0.0.161 \n * Adobe Flash Player 18.0.0.194 \n * Adobe Flash Player 18.0.0.203 \n * Adobe Flash Player 18.0.0.204 \n * Adobe Flash Player 18.0.0.209 \n * Adobe Flash Player 18.0.0.232 \n * Adobe Flash Player 18.0.0.233 \n * Adobe Flash Player 18.0.0.241 \n * Adobe Flash Player 18.0.0.252 \n * Adobe Flash Player 19.0.0.185 \n * Adobe Flash Player 19.0.0.207 \n * Adobe Flash Player 2 \n * Adobe Flash Player 3 \n * Adobe Flash Player 4 \n * Adobe Flash Player 6.0.21.0 \n * Adobe Flash Player 6.0.79 \n * Adobe Flash Player 7 \n * Adobe Flash Player 7.0.1 \n * Adobe Flash Player 7.0.19.0 \n * Adobe Flash Player 7.0.24.0 \n * Adobe Flash Player 7.0.25 \n * Adobe Flash Player 7.0.53.0 \n * Adobe Flash Player 7.0.60.0 \n * Adobe Flash Player 7.0.61.0 \n * Adobe Flash Player 7.0.63 \n * Adobe Flash Player 7.0.66.0 \n * Adobe Flash Player 7.0.67.0 \n * Adobe Flash Player 7.0.68.0 \n * Adobe Flash Player 7.0.69.0 \n * Adobe Flash Player 7.0.70.0 \n * Adobe Flash Player 7.0.73.0 \n * Adobe Flash Player 7.1 \n * Adobe Flash Player 7.1.1 \n * Adobe Flash Player 7.2 \n * Adobe Flash Player 8 \n * Adobe Flash Player 8.0.22.0 \n * Adobe Flash Player 8.0.24.0 \n * Adobe Flash Player 8.0.33.0 \n * Adobe Flash Player 8.0.34.0 \n * Adobe Flash Player 8.0.35.0 \n * Adobe Flash Player 8.0.39.0 \n * Adobe Flash Player 8.0.42.0 \n * Adobe Flash Player 9 \n * Adobe Flash Player 9.0.112.0 \n * Adobe Flash Player 9.0.114.0 \n * Adobe Flash Player 9.0.115.0 \n * Adobe Flash Player 9.0.124.0 \n * Adobe Flash Player 9.0.125.0 \n * Adobe Flash Player 9.0.151 .0 \n * Adobe Flash Player 9.0.152 .0 \n * Adobe Flash Player 9.0.155.0 \n * Adobe Flash Player 9.0.159.0 \n * Adobe Flash Player 9.0.16 \n * Adobe Flash Player 9.0.18D60 \n * Adobe Flash Player 9.0.20 \n * Adobe Flash Player 9.0.20.0 \n * Adobe Flash Player 9.0.246 0 \n * Adobe Flash Player 9.0.246.0 \n * Adobe Flash Player 9.0.260.0 \n * Adobe Flash Player 9.0.262 \n * Adobe Flash Player 9.0.262.0 \n * Adobe Flash Player 9.0.277.0 \n * Adobe Flash Player 9.0.28.0 \n * Adobe Flash Player 9.0.280 \n * Adobe Flash Player 9.0.283.0 \n * Adobe Flash Player 9.0.289.0 \n * Adobe Flash Player 9.0.31.0 \n * Adobe Flash Player 9.0.45.0 \n * Adobe Flash Player 9.0.47.0 \n * Adobe Flash Player 9.0.48.0 \n * Adobe Flash Player 9.0.8.0 \n * Adobe Flash Player 9.0.9.0 \n * Adobe Flash Player 9.125.0 \n * Gentoo Linux \n * Microsoft Edge \n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Supplementary 5 Server \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * SuSE openSUSE Evergreen 11.4 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests, review its logs regularly.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue allows malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\nCurrently, we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: http://.\n", "modified": "2015-10-13T00:00:00", "published": "2015-10-13T00:00:00", "id": "SMNTC-77081", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/77081", "type": "symantec", "title": "Adobe Flash Player CVE-2015-7645 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-04T09:13:41", "bulletinFamily": "exploit", "description": "Adobe Flash Type Confusion in Serialization with ObjectEncoder.dynamicPropertyWriter. CVE-2015-7648. Dos exploits for multiple platform", "modified": "2015-12-14T00:00:00", "published": "2015-12-14T00:00:00", "id": "EDB-ID:38970", "href": "https://www.exploit-db.com/exploits/38970/", "type": "exploitdb", "title": "Adobe Flash Type Confusion in Serialization with ObjectEncoder.dynamicPropertyWriter", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=545\r\n\r\nThere is a type confusion issue during serialization if ObjectEncoder.dynamicPropertyWriter is overridden with a value that is not a function.\r\n\r\nIn the following ActionScript:\r\n\r\n\t\tflash.net.ObjectEncoding.dynamicPropertyWriter = new subdpw();\r\n\t\tvar b = new ByteArray();\r\n\t\tvar a = {};\r\n\t\ta.test = 1;\r\n\t\tb.writeObject(a);\r\n\r\nThe object 'a' with a dynamic property 'test' is serialized using a custom dynamicPropertyWriter of class subpwd. However this class overrides writeDynamicProperties with a property that is not a function leading to type confusion (note that this is not possible in the compiler, the bytecode needs to be modified manually).\r\n\r\nTo reproduce the issue, load objectencoding.swf. PoC code is also attached. To use this code, compile the swf, and decompress it (for example, using flasm -x), and then search for the string \"triteDocumentProperties\" in the SWF and change it to \"writeDocumentProperties\".\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38970.zip\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/38970/"}, {"lastseen": "2016-02-04T09:13:32", "bulletinFamily": "exploit", "description": "Adobe Flash Type Confusion in IExternalizable.readExternal When Performing Local Serialization. CVE-2015-7647. Dos exploits for multiple platform", "modified": "2015-12-14T00:00:00", "published": "2015-12-14T00:00:00", "id": "EDB-ID:38969", "href": "https://www.exploit-db.com/exploits/38969/", "type": "exploitdb", "title": "Adobe Flash Type Confusion in IExternalizable.readExternal When Performing Local Serialization", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=548\r\n\r\nIf IExternalizable.readExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.\r\n\r\nA sample swf is attached. ActionScript code is also attached, but it does not compile to the needed to swf. To get the PoC, decompress the swf using flasm -x myswf, and then search for \"teadExternal\" and change it to \"readExternal\".\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38969.zip\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/38969/"}, {"lastseen": "2016-02-04T08:12:37", "bulletinFamily": "exploit", "description": "Adobe Flash IExternalizable.writeExternal - Type Confusion. CVE-2015-7645. Dos exploits for multiple platform", "modified": "2015-10-19T00:00:00", "published": "2015-10-19T00:00:00", "id": "EDB-ID:38490", "href": "https://www.exploit-db.com/exploits/38490/", "type": "exploitdb", "title": "Adobe Flash IExternalizable.writeExternal - Type Confusion", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=547\r\n\r\nIf IExternalizable.writeExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.\r\n\r\nA sample swf is attached. ActionScript code is also attached, but it does not compile to the needed to swf. To get the PoC, decompress the swf using flasm -x myswf, and then search for \"triteExternal\" and change it to \"writeExternal\".\r\n\r\nThis bug is in the AVM serializer (http://hg.mozilla.org/tamarin-redux/file/5571cf86fc68/core/AvmSerializer.cpp), and is type confusion when calling the method writeExternal, which is implemented when a class extends IExternalizable (http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/IExternalizable.html). The method is resolved on line 1437 of AvmSerializer.cpp by calling toplevel->getBinding, which does not guarantee that the binding is a method binding. It then gets cast to a method on line 773 and called, which is type confusion.\r\n\r\nOne challenge with the bug is actually creating a SWF which can hit this code, as usually overriding a defined method will lead to an illegal override exception. The 0-day author did this differently than I did. The code where all class properties (methods, internal classes, variables, etc.) are resolved is in http://hg.mozilla.org/tamarin-redux/file/5571cf86fc68/core/Traits.cpp. You can see on line 813 that a check that no two properties of a class have the same name is commented out due to some legitimate SWFs doing that. This means that a SWF can have a variable with the same name as a method (overriding a method with less restrictive method is still illegal), which is how my PoC overrode the method. The 0-day did something slightly different, it put the redefinition of writeExternal in a different public namespace than the original definition of writeExternal. This has the benefit that the ActionScript will compile and hit the bug without modification. \r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38490.zip\r\n\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/38490/"}], "suse": [{"lastseen": "2016-09-04T12:46:24", "bulletinFamily": "unix", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2015-7645: Critical vulnerability affecting 11.2.202.535 used in\n Pawn Storm (APSA15-05) (bsc#950474).\n\n", "modified": "2015-10-16T17:10:26", "published": "2015-10-16T17:10:26", "id": "SUSE-SU-2015:1770-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00016.html", "type": "suse", "title": "Security update for flash-player (critical)", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:18:32", "bulletinFamily": "unix", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2015-7645: Critical vulnerability affecting 11.2.202.535 used in\n Pawn Storm (APSA15-05) (bsc#950474).\n\n", "modified": "2015-10-16T16:10:56", "published": "2015-10-16T16:10:56", "id": "OPENSUSE-SU-2015:1768-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00015.html", "type": "suse", "title": "Security update for flash-player (critical)", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:36:09", "bulletinFamily": "unix", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2015-7645: Critical vulnerability affecting 11.2.202.535 used in\n Pawn Storm (APSA15-05) (bsc#950474).\n\n", "modified": "2015-10-16T17:10:45", "published": "2015-10-16T17:10:45", "id": "SUSE-SU-2015:1771-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00017.html", "title": "Security update for flash-player (critical)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:37:53", "bulletinFamily": "unix", "description": "This security issue was fixed:\n - CVE-2015-7645: Critical vulnerability affecting 11.2.202.535 used in\n Pawn Storm (APSA15-05) (bsc#950474).\n\n", "modified": "2015-10-19T19:09:31", "published": "2015-10-19T19:09:31", "id": "OPENSUSE-SU-2015:1781-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00018.html", "title": "Security update for flash-player (critical)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2016-12-09T17:47:57", "bulletinFamily": "info", "description": "By RecordedFuture a new study suggests that, due to its vulnerability, Flash Player will continue to the global computer at risk, cybercriminals are still looking for the Adobe solutions among the security flaws to the invasion of the computer. This year the exploit kit used by the top 10 vulnerabilities in a total of 6 vulnerabilities from Adobe Flash Player, one of the security vulnerabilities is more than 7 exploit Kit the use. \nInternet Explorer, Windows and Silverlight are also the exploitability of the vulnerability of the target, in the Microsoft browser, find the security vulnerability CVE-2016-0189 is a network for criminals to exploit most of the vulnerabilities. Microsoft IE browser is Magnitude, the Neutrino, the RIG and the Sundown and other exploit kits as an attack target, and the Angler, the Magnitude, the Neutrino, the RIG, the Nuclear Pack and Spartan and other exploit kits are using the Flash Player vulnerability to attack. \nAdobe number for CVE-2015-7645 vulnerability is particularly affected by attack kit developers attention, because it affects not only Windows, but also affecting Mac and Linux systems. It can be used to control an affected system. In addition, this is the Adobe After the introduction of new security mechanisms found after the first zero-day vulnerabilities, and therefore, very quickly by hackers. \nRecordedFuture shows, these software solutions in the presence of all vulnerabilities must as soon as possible by updating the repair, and suggested that if the user does not affect the key business processes, please delete the Affected Software. As for Internet Explorer users, the company said, it is best to consider the Chrome browser, because Google's Project Zero scheme has been concerned in the Chrome which patched the Flash Player vulnerability, but at the same time, Microsoft also promised by Windows 10, The New Edge browser provides extra security. \n! [](/Article/UploadPic/2016-12/120161209025704.jpg)\n", "modified": "2016-12-09T00:00:00", "published": "2016-12-09T00:00:00", "id": "MYHACK58:62201681902", "href": "http://www.myhack58.com/Article/html/3/62/2016/81902.htm", "type": "myhack58", "title": "Security researchers found that attack kits favorite Flash Player security vulnerabilities-vulnerability warning-the black bar safety net", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-13T15:28:22", "bulletinFamily": "info", "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "modified": "2019-06-13T00:00:00", "published": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "fireeye": [{"lastseen": "2017-09-12T20:44:52", "bulletinFamily": "info", "description": "Exploit kit (EK) activity has been on the decline ever since [Angler Exploit Kit was shut down](<https://securityintelligence.com/news/say-goodbye-to-the-angler-exploit-kit/>) in 2016. [Fewer people using Internet Explorer](<https://threatpost.com/exploit-kit-activity-quiets-but-is-far-from-silent/124461/>) and a [drop in browser support for Adobe Flash](<https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/>) \u2013 two primary targets of many exploit kits \u2013 have also contributed to this decline. Additionally, some popular redirect campaigns using [PseudoDarkleech and EITest Gate to Rig Exploit Kit](<http://www.darkreading.com/attacks-breaches/rig-exploit-kit-takedown-sheds-light-on-domain-shadowing/d/d-id/1329085>) were shut down in first half of this year.\n\nDespite all this, [malvertising campaigns involving exploits kits](<https://www.fireeye.com/blog/threat-research/2017/03/still_getting_served.html>) remain active. The Neptune Exploit Kit (or Terror EK), which initially started as a Sundown EK copycat operation, has relied heavily on malvertisements. Early use of this exploit kit saw domains with very similar patterns dropping cryptocurrency miners through malvertisements:\n\n * networkmarketingpro3[.]us\n * networkmarketingpro2[.]us\n * onlinesalesproaffiliate1[.]us\n * onlinesalesproaffiliate2[.]us\n * onlinesalesproaffiliate3[.]us\n * onlinesalesproaffiliate4[.]us\n * onlinesalesproaffiliate5[.]us\n * onlinesalesproaffiliate6[.]us\n\nPayloads spread by Neptune Exploit Kit have since diversified. Recently, we have seen changes in Neptune EK\u2019s URI patterns, landing pages, malvertisement campaigns and login account details associated with the cryptocurrency mining payloads. \n\n#### Propagation\n\nSince July 16, our Dynamic Threat Intelligence (DTI) has observed changes in URI patterns for Neptune Exploit Kit. At the time of writing, the new campaign abuses a legitimate popup ad service (within Alexa\u2019s top 100) with redirects to ads about hiking clubs, as shown in Figure 1.\n\n \nFigure 1: Fake ad for a hiking club leading to Neptune EK\n\nRedirects from domains associated with these ads eventually use 302 redirects to move victims to exploit kit landing pages. Fake domains involved in these redirects imitate real domains. For example, highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com. Other hiking fake ads use similarly spoofed legitimate site names with .club domains. Figure 2 shows a redirect from a fake site\u2019s pop-up.\n\n \nFigure 2: Silent redirect to EK landing page\n\nFireEye Dynamic Threat Intelligence (DTI) stats show the regions being affected by this campaign (Figure 3). \n\n \nFigure 3: Regions affected by the malvertisement campaign, as observed from customer data\n\nA few instances of the redirect involve flvto[.]download (mimicking the legitimate www.flvto[.]biz) instead of hiking club fake ads. Figure 4 and Figure 5 show the legitimate domain and fake domain, respectively, for comparison\u2019s sake.\n\n \nFigure 4: Real page, flvto[.]biz (Alexa rank 2,674)\n\n \nFigure 5: Fake page, flvto[.]download\n\nMost of the ads linked to this campaign have been observed on high-traffic torrent and multimedia hosting sites.\n\nSites are hosted on IP **95.85.62.226**. Reverse lookup for this IP shows:\n\n * 2watchmygf[.]stream\n * flvto[.]download\n * highspirittreks[.]club\n * treknepal[.]club\n\nOther hosted IPs and domains of the same campaign are in the Indicators of Compromise section at the end of the post. All IPs point to locations in Amsterdam.\n\nSince July 16, related EK infrastructure has been hosted on domains protected by Whois Guard. However, in recent activity, domains are linked to the Registrant email: \u2018gabendollar399@gmx[.]com\u2019. \n\nThe following domains are currently associated with this email:\n\n**Domain Name**\n\n| \n\n**Create Date**\n\n| \n\n**Registrar** \n \n---|---|--- \n \n[itsmebecauseyoua[.]pw](<https://whois.domaintools.com/itsmebecauseyoua.pw>)\n\n| \n\n2017-03-05\n\n| \n\n\\-- \n \n[loansforevery[.]us](<https://whois.domaintools.com/loansforevery.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[managetheworld[.]us](<https://whois.domaintools.com/managetheworld.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[nudecams[.]us](<https://whois.domaintools.com/nudecams.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n#### Exploits/Landing Page\n\nThe landing page for the Neptune Exploit Kit redirects to further HTML and Adobe Flash exploit links after it checks the Flash versions installed on the victim\u2019s machine (see Figure 6).\n\n \nFigure 6: Landing page of Neptune EK\n\nThis EK exploits multiple vulnerabilities in one run. Most of these exploits are well-known and commonly seen in other exploit kits.\n\nCurrently, Neptune EK uses three Internet Explorer exploits and two Flash exploits:\n\n * [CVE-2016-0189](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) \u2013 Internet Explorer\n * [CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>) \u2013 Internet Explorer\n * [CVE-2014-6332](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) \u2013 Internet Explorer\n * [CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>) \u2013 Adobe Flash Player\n * [CVE-2015-7645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7645>) \u2013 Adobe Flash Player\n\n#### Payload (Monero miner)\n\nThe payload is dropped as a plain executable from one of the URI\u2019s belonging to the EK domain (same as the landing page). Figure 7 shows a typical response header for these cases.\n\n \nFigure 7: Response header for Monero miner payload\n\nPost infection traffic shows an attempt to connect to minergate[.]com (Figure 8) and a login attempt using the cpu-miner service via the login email monsterkill20@mail[.]com (Figure 9). Login attempts are invoked via the command line:\n\n\n\n \nFigure 8: DNS query to minergate[.]com\n\n \nFigure 9: Login attempt\n\n#### Conclusion\n\nDespite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software. This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.\n\nFireEye NX [detects exploit kit infection attempts](<https://www.fireeye.com/products/nx-network-security-products.html>) before the malware payload is downloaded to the user\u2019s machine. Additionally, malware payloads dropped by exploit kits are detected in all other FireEye products.\n\n#### Indicators of Compromise\n\n##### Malvertisement domains:\n\n * hxxp://treknepal[.]club/\n * hxxp://highspirittrecks[.]club\n * hxxp://advnepaltrekking[.]club\n * hxxp://nepalyogatrek[.]club\n * hxxp://flvto[.]download\n\n##### Malvertisement IPs:\n\n * 95.85.62.226\n * 185.82.202.36\n\n##### EK domains (current active) registrant:\n\nDomain Name: MANAGETHEWORLD.US \nDomain ID: D59392852-US \nSponsoring Registrar: NAMECHEAP, INC. \nSponsoring Registrar IANA ID: 1068 \nRegistrar URL (registration services): http://www.namecheap[.]com \nDomain Status: clientTransferProhibited \nRegistrant ID: NLGUS4BVD3M2DN2Y \nRegistrant Name: kreb son \nRegistrant Address1: Maker 541 \nRegistrant City: Navada \nRegistrant State/Province: SA \nRegistrant Postal Code: 546451 \nRegistrant Country: Bulgaria \nRegistrant Country Code: BG \nRegistrant Phone Number: +44.45623417852 \nRegistrant Email: gabendollar399@gmx[.]com \nRegistrant Application Purpose: P1 \nRegistrant Nexus Category: C11 \nAdministrative Contact ID: VNM50NNJ5Y0VNLDY \nAdministrative Contact Name: kreb son \nAdministrative Contact Address1: Maker 541 \nAdministrative Contact City: Navada \nAdministrative Contact State/Province: SA \nAdministrative Contact Postal Code: 546451 \nAdministrative Contact Country: Bulgaria \nAdministrative Contact Country Code: BG \nAdministrative Contact Phone Number: +44.45623417852 \nAdministrative Contact Email: gabendollar399@gmx[.]com\n\n##### Sample EK URI Pattern:\n\nforum_jVpbUAr/showthread.php?id=xxxxxxx\n\n##### Sample MD5s:\n\nb678ac0b870b78060a2a9f599000302d \n5a18c92e148bbd7f10077f8e7431326e\n\n#### Acknowledgement\n\nWe would like to thanks Hassan Faizan for his contributions to this discovery.\n", "modified": "2017-08-22T10:00:00", "published": "2017-08-22T10:00:00", "id": "FIREEYE:0CAA37548C7EBA899FA1174794304489", "href": "https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html", "title": "Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit", "type": "fireeye", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:22", "bulletinFamily": "info", "description": "Exploit kit (EK) activity has been on the decline ever since [Angler Exploit Kit was shut down](<https://securityintelligence.com/news/say-goodbye-to-the-angler-exploit-kit/>) in 2016. [Fewer people using Internet Explorer](<https://threatpost.com/exploit-kit-activity-quiets-but-is-far-from-silent/124461/>) and a [drop in browser support for Adobe Flash](<https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/>) \u2013 two primary targets of many exploit kits \u2013 have also contributed to this decline. Additionally, some popular redirect campaigns using [PseudoDarkleech and EITest Gate to Rig Exploit Kit](<http://www.darkreading.com/attacks-breaches/rig-exploit-kit-takedown-sheds-light-on-domain-shadowing/d/d-id/1329085>) were shut down in first half of this year.\n\nDespite all this, [malvertising campaigns involving exploits kits](<https://www.fireeye.com/blog/threat-research/2017/03/still_getting_served.html>) remain active. The Neptune Exploit Kit (or Terror EK), which initially started as a Sundown EK copycat operation, has relied heavily on malvertisements. Early use of this exploit kit saw domains with very similar patterns dropping cryptocurrency miners through malvertisements:\n\n * networkmarketingpro3[.]us\n * networkmarketingpro2[.]us\n * onlinesalesproaffiliate1[.]us\n * onlinesalesproaffiliate2[.]us\n * onlinesalesproaffiliate3[.]us\n * onlinesalesproaffiliate4[.]us\n * onlinesalesproaffiliate5[.]us\n * onlinesalesproaffiliate6[.]us\n\nPayloads spread by Neptune Exploit Kit have since diversified. Recently, we have seen changes in Neptune EK\u2019s URI patterns, landing pages, malvertisement campaigns and login account details associated with the cryptocurrency mining payloads. \n\n#### Propagation\n\nSince July 16, our Dynamic Threat Intelligence (DTI) has observed changes in URI patterns for Neptune Exploit Kit. At the time of writing, the new campaign abuses a legitimate popup ad service (within Alexa\u2019s top 100) with redirects to ads about hiking clubs, as shown in Figure 1.\n\n \nFigure 1: Fake ad for a hiking club leading to Neptune EK\n\nRedirects from domains associated with these ads eventually use 302 redirects to move victims to exploit kit landing pages. Fake domains involved in these redirects imitate real domains. For example, highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com. Other hiking fake ads use similarly spoofed legitimate site names with .club domains. Figure 2 shows a redirect from a fake site\u2019s pop-up.\n\n \nFigure 2: Silent redirect to EK landing page\n\nFireEye Dynamic Threat Intelligence (DTI) stats show the regions being affected by this campaign (Figure 3). \n\n \nFigure 3: Regions affected by the malvertisement campaign, as observed from customer data\n\nA few instances of the redirect involve flvto[.]download (mimicking the legitimate www.flvto[.]biz) instead of hiking club fake ads. Figure 4 and Figure 5 show the legitimate domain and fake domain, respectively, for comparison\u2019s sake.\n\n \nFigure 4: Real page, flvto[.]biz (Alexa rank 2,674)\n\n \nFigure 5: Fake page, flvto[.]download\n\nMost of the ads linked to this campaign have been observed on high-traffic torrent and multimedia hosting sites.\n\nSites are hosted on IP **95.85.62.226**. Reverse lookup for this IP shows:\n\n * 2watchmygf[.]stream\n * flvto[.]download\n * highspirittreks[.]club\n * treknepal[.]club\n\nOther hosted IPs and domains of the same campaign are in the Indicators of Compromise section at the end of the post. All IPs point to locations in Amsterdam.\n\nSince July 16, related EK infrastructure has been hosted on domains protected by Whois Guard. However, in recent activity, domains are linked to the Registrant email: \u2018gabendollar399@gmx[.]com\u2019. \n\nThe following domains are currently associated with this email:\n\n**Domain Name**\n\n| \n\n**Create Date**\n\n| \n\n**Registrar** \n \n---|---|--- \n \n[itsmebecauseyoua[.]pw](<https://whois.domaintools.com/itsmebecauseyoua.pw>)\n\n| \n\n2017-03-05\n\n| \n\n\\-- \n \n[loansforevery[.]us](<https://whois.domaintools.com/loansforevery.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[managetheworld[.]us](<https://whois.domaintools.com/managetheworld.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[nudecams[.]us](<https://whois.domaintools.com/nudecams.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n#### Exploits/Landing Page\n\nThe landing page for the Neptune Exploit Kit redirects to further HTML and Adobe Flash exploit links after it checks the Flash versions installed on the victim\u2019s machine (see Figure 6).\n\n \nFigure 6: Landing page of Neptune EK\n\nThis EK exploits multiple vulnerabilities in one run. Most of these exploits are well-known and commonly seen in other exploit kits.\n\nCurrently, Neptune EK uses three Internet Explorer exploits and two Flash exploits:\n\n * [CVE-2016-0189](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) \u2013 Internet Explorer\n * [CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>) \u2013 Internet Explorer\n * [CVE-2014-6332](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) \u2013 Internet Explorer\n * [CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>) \u2013 Adobe Flash Player\n * [CVE-2015-7645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7645>) \u2013 Adobe Flash Player\n\n#### Payload (Monero miner)\n\nThe payload is dropped as a plain executable from one of the URI\u2019s belonging to the EK domain (same as the landing page). Figure 7 shows a typical response header for these cases.\n\n \nFigure 7: Response header for Monero miner payload\n\nPost infection traffic shows an attempt to connect to minergate[.]com (Figure 8) and a login attempt using the cpu-miner service via the login email monsterkill20@mail[.]com (Figure 9). Login attempts are invoked via the command line:\n\n\n\n \nFigure 8: DNS query to minergate[.]com\n\n \nFigure 9: Login attempt\n\n#### Conclusion\n\nDespite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software. This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.\n\nFireEye NX [detects exploit kit infection attempts](<https://www.fireeye.com/products/nx-network-security-products.html>) before the malware payload is downloaded to the user\u2019s machine. Additionally, malware payloads dropped by exploit kits are detected in all other FireEye products.\n\n#### Indicators of Compromise\n\n##### Malvertisement domains:\n\n * hxxp://treknepal[.]club/\n * hxxp://highspirittrecks[.]club\n * hxxp://advnepaltrekking[.]club\n * hxxp://nepalyogatrek[.]club\n * hxxp://flvto[.]download\n\n##### Malvertisement IPs:\n\n * 95.85.62.226\n * 185.82.202.36\n\n##### EK domains (current active) registrant:\n\nDomain Name: MANAGETHEWORLD.US \nDomain ID: D59392852-US \nSponsoring Registrar: NAMECHEAP, INC. \nSponsoring Registrar IANA ID: 1068 \nRegistrar URL (registration services): http://www.namecheap[.]com \nDomain Status: clientTransferProhibited \nRegistrant ID: NLGUS4BVD3M2DN2Y \nRegistrant Name: kreb son \nRegistrant Address1: Maker 541 \nRegistrant City: Navada \nRegistrant State/Province: SA \nRegistrant Postal Code: 546451 \nRegistrant Country: Bulgaria \nRegistrant Country Code: BG \nRegistrant Phone Number: +44.45623417852 \nRegistrant Email: gabendollar399@gmx[.]com \nRegistrant Application Purpose: P1 \nRegistrant Nexus Category: C11 \nAdministrative Contact ID: VNM50NNJ5Y0VNLDY \nAdministrative Contact Name: kreb son \nAdministrative Contact Address1: Maker 541 \nAdministrative Contact City: Navada \nAdministrative Contact State/Province: SA \nAdministrative Contact Postal Code: 546451 \nAdministrative Contact Country: Bulgaria \nAdministrative Contact Country Code: BG \nAdministrative Contact Phone Number: +44.45623417852 \nAdministrative Contact Email: gabendollar399@gmx[.]com\n\n##### Sample EK URI Pattern:\n\nforum_jVpbUAr/showthread.php?id=xxxxxxx\n\n##### Sample MD5s:\n\nb678ac0b870b78060a2a9f599000302d \n5a18c92e148bbd7f10077f8e7431326e\n\n#### Acknowledgement\n\nWe would like to thanks Hassan Faizan for his contributions to this discovery.\n", "modified": "2017-08-22T10:00:00", "published": "2017-08-22T10:00:00", "id": "FIREEYE:D549372E644DEECBB7AEE8031D35DA4D", "href": "https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html", "title": "Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit", "type": "fireeye", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:18", "bulletinFamily": "info", "description": "##### **INTRODUCTION**\n\nFireEye Labs recently spotted a 2011 article on cybercrime from the news site theguardian[.]com that redirects users to the Angler Exploit Kit. Successful exploitation by Angler resulted in a malware infection for readers of the article. A spokesperson for the guardian[.]com responded that they \"are aware of FireEye's claims and are working to rectify the issue in question as soon as possible.\"\n\nFireEye Labs first detected the activity on Dec. 1, 2015. Ironically, the affected article was titled \u201cCybercrime: is it out of control?\u201d and covered various aspects of cybercrime. As it turns out, visiting the page shown in Figure 1 and Figure 2 silently redirected browsers to an Angler Exploit Kit landing page.\n\n\n\nFigure 1. Article URL\n\n\n\nFigure 2. Image from main page, highlighting cybercrime issues\n\nThe article loaded several other pages and links, including links for syndication shown in Figure 3 and Figure 4.\n\n\n\nFigure 3. Sharing and syndication links\n\n\n\nFigure 4. Syndication page URL\n\nWhen the syndication link is loaded in the background, readers are eventually redirected to Angler\u2019s landing page via injected HTML that crafts the request to the Angler landing page.\n\nVisible in the HTML response is the script that would craft the URL to the Angler landing page. (Figure 5)\n\n\n\nFigure 5. Injected script that loads the Angler landing page\n\nOnce loaded, the page would execute the embedded script and redirect the reader to the Angler landing page located at the URL in Figure 6:\n\n\n\nFigure 6. Angler landing page URL\n\nThis redirect resulted in a new GET request (Figure 7) that loaded the landing page (Figure 8) and set up the exploitation stage.\n\n\n\n\n\nFigure 7. Angler GET request, syndication link URL visible in Referrer field\n\n##### **EXPLOITS**\n\nOld exploits never die\u2026\n\nThe use of an OLE Automation vulnerability exploited through VBScript, along with evidence of potential Flash exploitation, can be observed in this particular attack.\n\nAngler unconditionally attempted to exploit a popular vulnerability: CVE-2014-6332. This is a memory corruption vulnerability in Windows Object Linking and Embedding (OLE) Automation, which can be triggered through VBScript with Internet Explorer as seen below.\n\nThe vulnerable code resided in OLEAUT32!SafeArrayRedim, where the original size of an array was not properly restored when an \u201cOut of memory\u201d error occured while resizing an array. This issue allowed for out-of-bounds memory access. In this attack the exploit was based on a publicly available PoC, and techniques from that PoC were used to attempt arbitrary code execution. Figure 8 shows Angler\u2019s obfuscated version of the CVE-2014-6332 vulnerability trigger.\n\n \n\n\nFigure 8. Angler landing page contents\n\nAngler also unconditionally embedded a Flash object in the page at runtime. The FlashVars included crypto constants for D-H (g, u), and a URL to the payload (exec). Angler\u2019s server then decided whether to serve a Flash exploit, presumably based on information in the request like x-flash-version. \n \nThe de-obfuscated object tag used to embed Flash movie files can be seen below in Figure 9:\n\n\n\nFigure 9. Angler CVE-2014-6332 triggering function\n\nIt was common practice for Angler to decide which, if any, Flash exploit to deliver to the target at runtime. Most recently, we observed Angler delivering a number of high profile exploits. These included, but were not limited to, CVE-2015-5122, CVE-2015-5560, and CVE-2015-7645.\n\nTypically, prior to conducting any exploitation on the system, Angler Exploit Kit attempted to detect whether Anti-Virus products or analysis tools are present. If Angler determined that such an object is present, it changed its behavior. For example, if Angler detected one such product, it invalidated its D-H parameters and the attack silently failed (Figure 10).\n\n\n\nFigure 10. Tag for Flash object from JavaScript\n\nAnother change bound to the presence of AV/analysis objects determines whether or not the malicious VBScript exploit is loaded. If detected, a non-malicious VBScript will be used instead. Or, it would if they remembered to unescape the string (Figure 11):\n\n\n\nFigure 11. Return appropriate result based on the AV vendor check\n\nThis attack was discovered in FireEye Dynamic Threat Intelligence. Additional syndication URLs are also redirecting to Angler (Figure 12):\n\n\n\nFigure 12. Constructing VBScript depending upon the presence of AV/analysis objects\n\nVisitors to the site are encouraged to use caution to avoid potentially becoming infected.\n", "modified": "2015-12-09T12:00:00", "published": "2015-12-09T12:00:00", "href": "https://www.fireeye.com/blog/threat-research/2015/12/cybercrime-news.html", "id": "FIREEYE:50656CA8D413ED51CDE771F0BAB863B5", "type": "fireeye", "title": "Cybercrime News Results In Cybercrime Blues", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:29", "bulletinFamily": "unix", "description": "### Background\n\nThe Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Adobe Flash Player users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-plugins/adobe-flash-11.2.202.548\"", "modified": "2015-11-17T00:00:00", "published": "2015-11-17T00:00:00", "id": "GLSA-201511-02", "href": "https://security.gentoo.org/glsa/201511-02", "type": "gentoo", "title": "Adobe Flash Player: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-05-29T14:35:33", "bulletinFamily": "unix", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes multiple vulnerabilities in Adobe Flash Player. These\nvulnerabilities, detailed in the Adobe Security Bulletins APSB15-25,\nAPSB15-27, and APSB15-28 listed in the References section, could allow an\nattacker to create a specially crafted SWF file that would cause\nflash-plugin to crash, execute arbitrary code, or disclose sensitive\ninformation when the victim loaded a page containing the malicious SWF\ncontent. (CVE-2015-5569, CVE-2015-7625, CVE-2015-7626, CVE-2015-7627,\nCVE-2015-7628, CVE-2015-7629, CVE-2015-7630, CVE-2015-7631, CVE-2015-7632,\nCVE-2015-7633, CVE-2015-7634, CVE-2015-7635, CVE-2015-7636, CVE-2015-7637,\nCVE-2015-7638, CVE-2015-7639, CVE-2015-7640, CVE-2015-7641, CVE-2015-7642,\nCVE-2015-7643, CVE-2015-7644, CVE-2015-7645, CVE-2015-7647, CVE-2015-7648,\nCVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655,\nCVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7659, CVE-2015-7660,\nCVE-2015-7661, CVE-2015-7662, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043,\nCVE-2015-8044, CVE-2015-8046)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 11.2.202.548.\n", "modified": "2017-07-27T07:18:58", "published": "2015-11-11T05:00:00", "id": "RHSA-2015:2024", "href": "https://access.redhat.com/errata/RHSA-2015:2024", "type": "redhat", "title": "(RHSA-2015:2024) Critical: flash-plugin security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}