Flash Player <= Unspecified Code Execution (APSA15-02 / APSB15-04)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.

Synopsis :

The remote Windows host has a browser plugin that is affected by
multiple code execution vulnerabilities.

Description :

According to its version, the Adobe Flash Player installed on the
remote Windows host is equal or prior to It is, therefore,
affected by the following vulnerabilities :

- Several use-after-free errors exist that allow arbitrary
code execution. (CVE-2015-0313, CVE-2015-0315,
CVE-2015-0320, CVE-2015-0322)

- Several memory corruption errors exist that allow
arbitrary code execution. (CVE-2015-0314,
CVE-2015-0316, CVE-2015-0318, CVE-2015-0321,
CVE-2015-0329, CVE-2015-0330)

- Several type confusion errors exist that allow
arbitrary code execution. (CVE-2015-0317, CVE-2015-0319)

- Several heap-based buffer-overflow errors exist that
allow arbitrary code execution. (CVE-2015-0323,

- A buffer overflow error exists that allows arbitrary
code execution. (CVE-2015-0324)

- Several null pointer dereference errors exist that have
unspecified impacts. (CVE-2015-0325, CVE-2015-0326,

- A user-after-free error exists within the processing of
invalid m3u8 playlists. A remote attacker, with a
specially crafted m3u8 playlist file, can force a
dangling pointer to be reused after it has been freed,
allowing the execution of arbitrary code.

See also :


Solution :

Upgrade to Adobe Flash Player version or later.

Alternatively, Adobe has made version available for those
installations that cannot be upgraded to 16.x.

Risk factor :

High / CVSS Base Score : 9.3
CVSS Temporal Score : 7.7
Public Exploit Available : true