Security Alert (A15-07-06): Multiple Vulnerabilities in Adobe Flash Player and Adobe Reader/Acrobat

Description:

Security updates are released for Adobe Flash Player and Adobe Reader/Acrobat to address multiple vulnerabilities caused by memory corruption, various buffer overflow, null-pointer dereference, use-after-free error and security bypass. To successfully exploit the vulnerabilities, a remote attacker could entice a targeted user to open a specially crafted PDF file, web page, Flash file, or document that supports embedded Flash content.

Affected Systems:

• Adobe Flash Player 18.0.0.203, 18.0.0.204 and earlier versions
• Adobe Flash Player 13.0.0.302 and earlier 13.x versions
• Adobe Flash Player 11.2.202.481 and earlier 11.x versions
• Adobe Reader/Acrobat XI 11.0.11 or earlier 11.x versions
• Adobe Reader/Acrobat X 10.1.14 or earlier 10.x versions
• Adobe Acrobat DC/Acrobat Reader DC Continuous 2015.007.20033 or earlier versions
• Adobe Acrobat DC/Acrobat Reader DC Classic 2015.006.30033 or earlier versions

Impact:

A successful attack could lead to arbitrary code execution, information disclosure, denial-of-service and security restrictions bypass.

Recommendation:

Upgrade Adobe Flash Player and Acrobat Reader/Acrobat to the following versions to address the issues. The upgrade can be obtained by using the auto-update mechanism or by downloading at the following URLs:

• Adobe Flash Player 18.0.0.209
  http://www.adobe.com/go/getflash
  http://www.adobe.com/products/players/flash-player-distribution.html
  
  
• Adobe Flash Player 13.0.0.305
  http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html
  
  
• Adobe Flash Player 18.0.0.209 for Google Chrome
  http://googlechromereleases.blogspot.com/
  
  
• Adobe Acrobat XI (11.0.12) and X (10.1.15), Acrobat DC Continuous 2015.008.20082, Classic 2015.006.30060
  http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
  http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh
  
  
• Adobe Reader XI (11.0.12) and X (10.1.15), Acrobat Reader DC Continuous 2015.008.20082, Classic 2015.006.30060
  http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
  http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
  
  

Currently, the new version of Adobe Flash Player 18.0.0.209 for Internet Explorer 10 and 11 on Windows 8 and 8.1 is still pending from the product vendor. Since the vulnerability could be exploited by simply viewing a malicious website, as an interim measure as well as security best practices, users are reminded not to visit suspicious websites, nor follow URL links from un-trusted sources or emails such as spam, and to keep the virus signature as well as detection and repair engine up-to-date.

If you have multiple browsers, you are required to perform the Adobe Flash Player upgrade for each browser, the Flash Player version can be checked at http://www.adobe.com/software/flash/about/

More Information:

https://helpx.adobe.com/security/products/flash-player/apsb15-18.html
https://helpx.adobe.com/security/products/reader/apsb15-15.html
https://technet.microsoft.com/library/security/2755801
https://www.hkcert.org/my_url/en/alert/15071516
https://www.hkcert.org/my_url/en/alert/15071518
https://www.us-cert.gov/ncas/current-activity/2015/07/11/Adobe-Flash-ActionScript-3-opaqueBackground-Use-After-Free
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4441
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4443 (to CVE-2015-4452)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5085 (to CVE-2015-5111)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5113 (to CVE-2015-5115)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5122 (to CVE-2015-5123)