Multiple Vulnerabilities in Adobe Flash Player Could Allow Remote Code Execution (APSB15-25 & APSB15-27)

ITS Advisory Number: 
2015-121 (UPDATED)
Date(s) Issued: 
Tuesday, October 13, 2015
Date Updated: 
Wednesday, October 21, 2015
Subject: 
Multiple Vulnerabilities in Adobe Flash Player Could Allow Remote Code Execution (APSB15-25 & APSB15-27)
Overview: 

Multiple vulnerabilities have been discovered in Adobe Flash Player, a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

OCTOBER 21 UPDATED OVERVIEW

Adobe has released updated versions of Adobe Flash Player as of October 16th, which mitigates the previously reported zero day vulnerabilities (CVE-2015-7645, CVE-2015-7647, CVE-2015-7648). Adobe has offered a manual download process as well as an automatic option for customers utilizing their auto-update feature. The latest security release by Adobe for these vulnerabilities is APSB15-27.

Systems Affected: 
  • Adobe Flash Player Desktop Runtime 19.0.0.185 and earlier Windows and Macintosh
  • Adobe Flash Player Extended Support Release 18.0.0.241 and earlier Windows and Macintosh
  • Adobe Flash Player for Google Chrome 19.0.0.185 and earlier Windows, Macintosh, Linux and ChromeOS
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 19.0.0.185 and earlier Windows 10
  • Adobe Flash Player for Internet Explorer 10 and 11 19.0.0.185 and earlier Windows 8.0 and 8.1
  • Adobe Flash Player for Linux 11.2.202.521 and earlier Linux
  • AIR Desktop Runtime 19.0.0.190 and earlier Windows and Macintosh
  • AIR SDK 19.0.0.190 and earlier Windows, Macintosh, Android and iOS
  • AIR SDK & Compiler 19.0.0.190 and earlier Windows, Macintosh, Android and iOS

October 21 - UPDATED SYSTEM AFFECTED:

  • Adobe Flash Player 19.0.0.207 and earlier versions for Windows and Macintosh
  • Adobe Flash Player Extended Support Release version 18.0.0.252 and earlier 18.x versions
  • Adobe Flash Player 11.2.202.535 and earlier 11.x versions for Linux
  • Adobe Flash Player prior to 19.0.0.226  for Windows and Macintosh
  • Adobe Flash Player Extended Support Release version prior to 18.0.0.255 for Windows and Macintosh
  • Adobe Flash Player prior to 11.2.202.540 for Linux
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Adobe Flash Player is prone to multiple vulnerabilities. These vulnerabilities are as follows:

  • A vulnerability that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2015-7628).
  • A defense-in-depth feature in the Flash broker API (CVE-2015-5569).
  • A use-after-free vulnerabilities that could lead to code execution (CVE-2015-7629, CVE-2015-7631, CVE-2015-7643, CVE-2015-7644).
  • A buffer overflow vulnerability that could lead to code execution (CVE-2015-7632).
  • Memory corruption vulnerabilities that could lead to code execution (CVE-2015-7625, CVE-2015-7626, CVE-2015-7627, CVE-2015-7630, CVE-2015-7633, CVE-2015-7634).

Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

October 21 UPDATED DESCRIPTION:

Adobe Flash Player is prone to multiple vulnerabilities. These vulnerabilities are as follows:

  • Multiple use-after-free vulnerabilities that could lead to code execution (CVE-2015-7629, CVE-2015-7631, CVE-2015-7635, CVE-2015-7636, CVE-2015-7637, CVE-2015-7638, CVE-2015-7639, CVE-2015-7640, CVE-2015-7641, CVE-2015-7642, CVE-2015-7643, CVE-2015-7644).
  • A critical vulnerability that could cause a crash and allow an attacker to take control of the affected system (CVE-2015-7645). 

CVE-2015-7645 has been patched in Adobe Flash Player versions 19.0.0.226, 18.0.0.255 and 11.2.202.540.

Actions: 
  • Install the updates provided by Adobe immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments, especially those from un-trusted sources.

October 21 UPDATED ACTIONS:

References: 

Adobe:

https://helpx.adobe.com/security/products/flash-player/apsb15-25.html

CVE

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7628

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5569

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7629

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7631

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7643

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7644

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7632

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7625

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7626

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7627

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7630

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7633

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7634

October 21 UPDATED REFERENCES:

Adobe:

https://helpx.adobe.com/security/products/flash-player/apsb15-27.html

https://helpx.adobe.com/security/products/flash-player/apsa15-05.html

TrendMicro:

http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7635

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7636

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7637

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7638

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7639

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7640

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7641

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7642

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7645