CVE-2015-5559

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player versions before 18.0.0.232 on Windows and OS X, and before 11.2.202.508 on Linux, as well as in Adobe AIR versions before 18.0.0.199. The flaw is triggered via unspecified vectors, but it is part of a set of vulnerabilities (including CVE-2015-5127, CVE-2015-5130, and others) that are exploited through a crafted SWF file. Attackers can leverage this flaw by convincing a victim to visit a malicious webpage or open a booby-trapped Flash content. [1][2]

Exploitation

An attacker typically exploits this vulnerability by hosting a malicious SWF file or embedding it in a webpage; the victim must access the content through a web browser or a program that uses the affected Flash/AIR runtime. No special privileges are required beyond normal user interaction (clicking a link or opening a document). The use-after-free condition occurs when the Flash player fails to properly manage memory while processing certain ActionScript operations. [2]

Impact

Successful exploitation allows the attacker to execute arbitrary code on the victim's system with the privileges of the affected user. This can lead to complete compromise of confidentiality, integrity, and availability, including the installation of malware, data theft, or further propagation within a network. [1][2]

Mitigation

Adobe released fixed versions: Flash Player 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux), and AIR 18.0.0.199. These updates were made available on or around August 11, 2015. Users should update their software immediately; there is no known workaround. [1][2]