Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x up to and including 13.0.0.302 on Windows and OS X, 14.x up to and including 18.0.0.203 on Windows and OS X, 11.x up to and including 11.2.202.481 on Linux, and 12.x up to and including 18.0.0.204 on Linux Chrome installations allows remote malicious users to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
adobe flash_player |
||
adobe flash_player_desktop_runtime |
||
redhat enterprise linux server 5.0 |
||
redhat enterprise linux workstation 5.0 |
||
redhat enterprise linux desktop 6.0 |
||
redhat enterprise linux server 6.0 |
||
redhat enterprise linux workstation 6.0 |
||
redhat enterprise linux desktop 5.0 |
||
redhat enterprise linux server eus 6.6 |
||
suse linux enterprise desktop 11 |
||
opensuse evergreen 11.4 |
||
suse linux enterprise desktop 12 |
||
suse linux enterprise workstation extension 12 |
Rivals stuck with old Adobe exploits
The Angler exploit kit is again sailing the cyber seas and pillaging with impunity, adding one of the more recent machine-hijacking Flash holes to its arsenal. The integration of Adobe Flash vulnerability (CVE-2015-8651) patched last month solidifies Angler's position as the most popular and effective exploit kit on underground criminal markets. Chinese security researcher known as ThreatBook reports the exploit kit is being used in phishing attacks under the so-called DarkHotel campaign. Those ...
Evilware rivals race to exploit the flaws stoopid folks don't fix
Criminals behind some of the most potent exploit kits, Neutrino and RIG, are ramping up attacks slinging the latest ransomware and hosing users who have not applied recent Adobe Flash patches. The patched vulnerabilities permit code execution and allow the dangerous hacking kits to compromise user machines. The two above-mentioned exploit kits jostle for top spot on the evilware charts, with speedy exploitation of Flash vulnerabilities giving one the edge over the other. Damage inflicted to indu...
Even after deletion you can be p0wned by PowerPoint or whipped by Word
Fortinet security researcher Bing Lui has warned users that they can still be p0wned if they only disable Adobe Flash in web browsers. Lui's warning speaks to advice last week that users dump Flash to bolster security in the wake of the public disclosure of three zero day vulnerabilities (CVE-2015-5122. CVE-2015-5123, and CVE-2015-5119 ) as part of the Hacking Team cyber defiling. He built an exploit against the first vuln in demonstrating how the likely common mistake of uninstalling Flash only...
Browser maker backs search for 'safer and more stable' alternative – like its own
Mozilla has lifted its blanket block on Flash in Firefox following the release of security updates by Adobe on Tuesday. Although the short-term block has been lifted, the whole flap appears to have re-energised efforts at Mozilla to work on Flash alternatives. The block – imposed on Monday – meant that all versions of Flash were blocked within Firefox by default. This embargo was lifted once Adobe released cross-platform updates that defended against two new zero-day vulnerabilities, which w...
'Temporary pending a patch'. Until the next time
Mozilla has temporarily blocked Flash in Firefox while waiting for Adobe to release patches to fix yet more serious security holes in the Swiss-cheese-like plugin. These holes can be exploited by criminals to hijack PCs and infect them with malware; details of the bugs emerged from leaked Hacking Team files. Firefox began preventing Flash from running by default on Monday. All versions of Adobe's software, including the most recent release, have been added to the browser's blacklist. Users can c...
Software portfolio looks like a nicotine addict's buttocks
Adobe has released patches for its Flash software to fix a pair of critical security vulnerabilities exposed by the Hacking Team megabreach. The bugs can be exploited to hijack PCs and infect them with malware – and crooks are already doing just that, so apply the updates now. The security bulletin for Adobe Flash Player (APSB15-18) addresses both zero-day vulnerabilities (CVE-2015-5122, CVE-2015-5123). Version 18.0.0.209 Flash Player and associated browser plugins for Windows, Macintosh and L...
Adobe vows to plug serious hijack leaks
Updated Two more serious Adobe Flash vulnerabilities have emerged from the leaked Hacking Team files, ones which allow malefactors to take over computers remotely – and crooks are apparently already exploiting at least one of them to infect machines. The use-after-free() programming flaws, for which no patches exist, are identified as CVE-2015-5122 and CVE-2015-5123. They are similar to the CVE-2015-5119 Flash bug patched last week. The 5122 and 5123 bugs let malicious Flash files execute code...