CVE-2015-0320

Vulnerability

Adobe Flash Player versions prior to 13.0.0.269 and 16.x up to 16.0.0.305 on Windows and OS X, and versions prior to 11.2.202.442 on Linux, contain a use-after-free vulnerability [1][2][3][4]. The bug is triggered via unspecified vectors within the Flash Player engine, leading to memory corruption. Affected versions include Flash Player before 13.0.0.269, 14.x, 15.x, and 16.x before 16.0.0.305 on Windows/OS X, and before 11.2.202.442 on Linux [1][3].

Exploitation

An attacker can exploit this vulnerability by enticing a user to visit a crafted web page or open a specially crafted SWF file [1][2][4]. No special network position beyond delivering content to the target is required; the attack is remote. The exploitation does not require authentication, and the user interaction is limited to normal browsing (e.g., viewing the page containing the malicious Flash content) [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary code with the privileges of the user running Flash Player [1][2][4]. This can lead to full system compromise, including installation of programs, viewing, changing, or deleting data, and creating new accounts with full user rights. The confidentiality, integrity, and availability of the affected system are all at risk [3][4].

Mitigation

Adobe released fixed versions on February 2, 2015: Flash Player 13.0.0.269, 16.0.0.305, and 11.2.202.442 [1][2][3][4]. Microsoft and Red Hat released corresponding updates for Flash delivered through their products [1][2]. Gentoo users should upgrade to >=www-plugins/adobe-flash-11.2.202.442 [4]. No workarounds are documented; applying the latest updates is the only mitigation [3][4].