CVE-2015-5539

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player when a native ActionScript 2 (AS2) class sets an internal atom to a value that is a SharedObject variable. This affects Flash Player before 18.0.0.232 on Windows and OS X, before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, and Adobe AIR SDK/before 18.0.0.199 [1][2][3]. The issue occurs in code paths involving NetConnection.uri and similar properties when combined with SharedObject manipulation.

Exploitation

An attacker can exploit this by serving a crafted SWF file that triggers the use-after-free condition. The proof-of-concept requires loading two SWF files from a web server (due to network sandbox limitations) and works reliably on 64-bit systems, though it can be adapted for 32-bit with proper heap setup [2]. The exploit uses SharedObject.getLocal, ASSetPropFlags, and ASnative calls to corrupt memory, then triggers a crash or code execution through a BitmapData allocation and a timed callback [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the affected Flash Player process. This can lead to full system compromise, including installation of programs, viewing/changing/deleting data, or creating new accounts with full user rights [3].

Mitigation

Adobe released fixes in Flash Player 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux), AIR 18.0.0.199, and corresponding AIR SDK versions on August 12, 2015 [1][2]. Red Hat issued an update for Adobe Flash Player on Red Hat Enterprise Linux [1]. Gentoo users should upgrade to >=www-plugins/adobe-flash-11.2.202.508 [3]. No workaround is available [3]; upgrading to the patched version is the only mitigation.