Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Flash Player < 17.0.0.189 (inferred) Multiple Vulnerabilities (APSB15-06 through 11)

High

Synopsis

The remote host is running a browser plugin that is affected by multiple vulnerabilities.

Description

Versions of Adobe Flash Player equal or prior to 17.0.0.188 are outdated and thus unpatched for the following vulnerabilities :

- Multiple double-free errors exist that allow an attacker to execute arbitrary code (CVE-2015-0346, CVE-2015-0359). - Multiple memory corruption flaws exist due to improper validation of user-supplied input. A remote attacker can exploit these flaws, via specially crafted flash content, to corrupt memory and execute arbitrary code (CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043, CVE-2015-3078, CVE-2015-3089, CVE-2015-3090, CVE-2015-3093, CVE-2015-3105). - An unspecified buffer overflow condition exists due to improper validation of user-supplied input. A remote attacker can exploit this to execute arbitrary code (CVE-2015-0348). - Multiple unspecified use-after-free errors exist that allow an attacker to execute arbitrary code (CVE-2015-0349, CVE-2015-0351, CVE-2015-0358, CVE-2015-3039, CVE-2015-3080, CVE-2015-3103, CVE-2015-3106, CVE-2015-3107). - Multiple unspecified memory leaks exist that allow an attacker to bypass the Address Space Layout Randomization (ASLR) feature (CVE-2015-0357, CVE-2015-3040, CVE-2015-3091, CVE-2015-3092, CVE-2015-3108). - Multiple unspecified type confusion flaws exist that allow an attacker to execute arbitrary code (CVE-2015-3077, CVE-2015-3084, CVE-2015-3086, CVE-2015-0356). - Multiple unspecified security bypass flaws exist that allow a context-dependent attacker to disclose sensitive information (CVE-2015-3079, CVE-2015-3044). - An unspecified time-of-check time-of-use (TOCTOU) race condition exists that allows an attacker to bypass Protected Mode for Internet Explorer (CVE-2015-3081). - Multiple validation bypass vulnerabilities exists that allow an attacker to read or write arbitrary data to the file system (CVE-2015-3082, CVE-2015-3083, CVE-2015-3085). - Multiple integer overflow conditions exist due to improper validation of user-supplied input. This allows a context-dependent attacker to execute arbitrary code (CVE-2015-3087, CVE-2015-3104). - A heap-based buffer overflow condition exists due to improper validation of user-supplied input. A remote attacker can exploit this to execute arbitrary code (CVE-2015-3088). - An unspecified vulnerability exists that allows an attacker to bypass the fix for CVE-2014-5333 (CVE-2015-3096). - An unspecified memory address randomization flaw exists on Windows 7 64-bit (CVE-2015-3097). - Multiple unspecified flaws exist that allow a remote attacker to bypass the same-origin-policy, resulting in the disclosure of sensitive information (CVE-2015-3098, CVE-2015-3099, CVE-2015-3102). - A remote code execution vulnerability exists due to an unspecified stack overflow flaw (CVE-2015-3100).

Solution

Upgrade to Adobe Flash Player version 18.0.0.160 or later. Alternatively, Adobe has made version 13.0.0.292 available for those installs that cannot be upgraded to 17.x.