CVE-2015-0336

Vulnerability

Adobe Flash Player versions before 13.0.0.277, 14.x through 17.x before 17.0.0.134 on Windows and OS X, and before 11.2.202.451 on Linux are affected by a type confusion vulnerability in the NetConnection class [1][2]. The bug occurs when the Flash Player incorrectly handles certain ActionScript types, leading to memory corruption that can be leveraged for arbitrary code execution. The official advisory from Adobe (APSB15-05) and Red Hat's security update confirm the scope [1].

Exploitation

An attacker can exploit this vulnerability by hosting a specially crafted SWF file on a web page or email link that targets the vulnerable Flash Player [2]. No prior authentication is required; the victim only needs to visit the malicious page using a browser with the affected Flash version. Once the SWF is loaded, the type confusion triggers a memory corruption condition that the attacker can control. Public exploit code (Metasploit module) targets Windows 7 SP1 with IE 8 and IE 11 on Flash 16.0.0.305 [2]. The exploit overwrites dangerous objects, such as ActionScript vectors, to achieve code execution.

Impact

Successful exploitation allows an attacker to execute arbitrary code within the context of the logged-in user [1][2][3]. The attacker gains full system-level privileges (user or potentially SYSTEM depending on sandbox), enabling theft of data, installation of malware, or further compromise of the system. The vulnerability is known to be exploited in the wild by exploit kits such as Nuclear EK [2].

Mitigation

Adobe released fixed versions: Flash Player 17.0.0.134, 13.0.0.277, and 11.2.202.451 on March 12, 2015 [1][2]. Red Hat provided an update for Linux via RHSA-2015:0697 [1], and Gentoo issued GLSA 201503-09 [3]. Users should update immediately. No workaround exists; disabling or removing Flash Player is an alternative if updating is not possible. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities Catalog.