Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x up to and including 13.0.0.302 on Windows and OS X, 14.x up to and including 18.0.0.203 on Windows and OS X, 11.x up to and including 11.2.202.481 on Linux, and 12.x up to and including 18.0.0.204 on Linux Chrome installations allows remote malicious users to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
redhat enterprise linux desktop 6.0 |
||
redhat enterprise linux server 5.0 |
||
redhat enterprise linux server 6.0 |
||
redhat enterprise linux workstation 5.0 |
||
redhat enterprise linux server eus 6.6 |
||
redhat enterprise linux workstation 6.0 |
||
redhat enterprise linux desktop 5.0 |
||
suse linux enterprise desktop 12 |
||
suse linux enterprise desktop 11 |
||
opensuse evergreen 11.4 |
||
suse linux enterprise workstation extension 12 |
||
adobe flash_player |
||
adobe flash_player_desktop_runtime |
Even after deletion you can be p0wned by PowerPoint or whipped by Word
Fortinet security researcher Bing Lui has warned users that they can still be p0wned if they only disable Adobe Flash in web browsers. Lui's warning speaks to advice last week that users dump Flash to bolster security in the wake of the public disclosure of three zero day vulnerabilities (CVE-2015-5122. CVE-2015-5123, and CVE-2015-5119 ) as part of the Hacking Team cyber defiling. He built an exploit against the first vuln in demonstrating how the likely common mistake of uninstalling Flash only...
'Temporary pending a patch'. Until the next time
Mozilla has temporarily blocked Flash in Firefox while waiting for Adobe to release patches to fix yet more serious security holes in the Swiss-cheese-like plugin. These holes can be exploited by criminals to hijack PCs and infect them with malware; details of the bugs emerged from leaked Hacking Team files. Firefox began preventing Flash from running by default on Monday. All versions of Adobe's software, including the most recent release, have been added to the browser's blacklist. Users can c...
Software portfolio looks like a nicotine addict's buttocks
Adobe has released patches for its Flash software to fix a pair of critical security vulnerabilities exposed by the Hacking Team megabreach. The bugs can be exploited to hijack PCs and infect them with malware – and crooks are already doing just that, so apply the updates now. The security bulletin for Adobe Flash Player (APSB15-18) addresses both zero-day vulnerabilities (CVE-2015-5122, CVE-2015-5123). Version 18.0.0.209 Flash Player and associated browser plugins for Windows, Macintosh and L...
Adobe vows to plug serious hijack leaks
Updated Two more serious Adobe Flash vulnerabilities have emerged from the leaked Hacking Team files, ones which allow malefactors to take over computers remotely – and crooks are apparently already exploiting at least one of them to infect machines. The use-after-free() programming flaws, for which no patches exist, are identified as CVE-2015-5122 and CVE-2015-5123. They are similar to the CVE-2015-5119 Flash bug patched last week. The 5122 and 5123 bugs let malicious Flash files execute code...
Vulmon