Overview
Adobe Flash Player contains a vulnerability in the ActionScript 3 opaqueBackground property, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
Adobe Flash Player versions 9.0 through version 18.0.0.203 contain a use-after-free vulnerability in the AS3 opaqueBackground class. This can allow attacker-controlled memory corruption. |
Impact
An attacker can execute arbitrary code in the context of the user running Flash Player. Attacks typically involve enticing a user to visit a web site containing specially-crafted Flash content, or to open a specially-crafted Microsoft Office document. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds: |
Do not run untrusted Flash content To defend against this and other, as yet unknown vulnerabilities, disable Flash in your browser or enable Click-to-Playfeatures. Adobe has also provided instructions for how to uninstall Flash on Windows and Mac platforms. |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Adobe | Affected | - | 11 Jul 2015 |
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Temporal | 7.5 | E:H/RL:U/RC:C |
| Environmental | 7.5 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
- https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
- https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html
- https://krebsonsecurity.com/2015/07/adobe-to-fix-another-hacking-team-zero-day/
- http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/display/DisplayObject.html#opaqueBackground
- http://www.microsoft.com/emet
- http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser
- https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html
- https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html
Credit
This document was written by Will Dormann.
Other Information
- CVE IDs: CVE-2015-5122
- Date Public: 05 7월 2015
- Date First Published: 11 7월 2015
- Date Last Updated: 11 7월 2015
- Document Revision: 15
'취약점 정보1' 카테고리의 다른 글
| 자바 업데이트 권고 (0) | 2015.07.17 |
|---|---|
| [펌웨어] ipTIME N604plus/N604R 외 15종 펌웨어 9.72 배포 (0) | 2015.07.17 |
| VMware Releases Security Advisory (0) | 2015.07.11 |
| VNC 해킹을 통한 원격제어 공격 주의 권고 (0) | 2015.07.11 |
| Adobe Flash Player 신규 취약점 보안 업데이트 권고 (0) | 2015.07.11 |