Description:
Security updates are released for Adobe Flash Player and Adobe Reader/Acrobat to address multiple vulnerabilities caused by various buffer overflow, use-after-free error, memory leak, memory corruption, security bypass and problems in Flash broker and Javascript API. To successfully exploit the vulnerabilities, a remote attacker could entice a targeted user to open a specially crafted PDF file, web page, Flash file, or document that supports embedded Flash content.
Affected Systems:
- Adobe Flash Player for Windows and Macintosh 18.0.0.241, 19.0.0.185 and earlier versions
- Adobe Flash Player for Google Chrome 19.0.0.185 and earlier versions
- Adobe Flash Player for Linux 11.2.202.521 and earlier versions
- AIR Desktop Runtime, SDK 19.0.0.190 and earlier versions
- AIR SDK & Complier 19.0.0.190 and earlier versions
- Adobe Acrobat DC/Acrobat Reader DC Continuous 2015.008.20082 and earlier versions
- Adobe Acrobat DC/Acrobat Reader DC Classic 2015.006.30060 and earlier versions
- Adobe Reader/Acrobat XI 11.0.12 and earlier 11.x versions
- Adobe Reader/Acrobat X 10.1.15 and earlier 10.x versions
Impact:
A successful attack could lead to arbitrary code execution, information disclosure, bypass of security restrictions or potentially take control of the affected system.
Recommendation:
Upgrade Adobe Flash Player to the following versions to address the issues. The upgrade can be obtained by using the auto-update mechanism or by downloading at the following URLs:
- Adobe Flash Player 18.0.0.252 & 19.0.0.207 for Windows and Macintosh
http://www.adobe.com/go/getflash
http://www.adobe.com/products/players/flash-player-distribution.html
http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html
- Adobe Flash Player 19.0.0.207 for Google Chrome
http://googlechromereleases.blogspot.com/
- Adobe Flash Player 19.0.0.207 for Microsoft Edge and Internet Explorer 10 & 11
https://support.microsoft.com/en-hk/kb/3099406
- Adobe Flash Player 11.2.202.535 for Linux
http://www.adobe.com/go/getflash
- AIR Desktop Runtime 19.0.0.213
http://get.adobe.com/air/
- AIR SDK, SDK & Complier 19.0.0.213
http://www.adobe.com/devnet/air/air-sdk-download.html
- AIR for Android 19.0.0.213
https://play.google.com/store/apps/details?id=com.adobe.air
- Adobe Acrobat XI (11.0.13) and X (10.1.16), Acrobat DC Continuous 2015.009.20069, Classic 2015.006.30094
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh
- Adobe Reader XI (11.0.13) and X (10.1.16), Acrobat Reader DC Continuous 2015.009.20069, Classic 2015.006.30094
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
If you have multiple browsers, you are required to perform the Adobe Flash Player upgrade for each browser, the Flash Player version can be checked at http://www.adobe.com/software/flash/about/
More Information:
https://helpx.adobe.com/security/products/flash-player/apsb15-25.html
https://helpx.adobe.com/security/products/acrobat/apsb15-24.html
https://technet.microsoft.com/library/security/2755801
https://www.hkcert.org/my_url/en/alert/15101407
https://www.hkcert.org/my_url/en/alert/15101408
https://www.us-cert.gov/ncas/current-activity/2015/10/13/Adobe-Releases-Security-Updates-Reader-and-Acrobat
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5583
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5586
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6683 (to CVE-2015-6725)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7614 (to CVE-2015-7634)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7643 (to CVE-2015-7644)