CVE-2015-7629

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player's TextFormat object when the tabStops property is manipulated [3]. This flaw affects Flash Player versions before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X, before 11.2.202.535 on Linux, as well as Adobe AIR before 19.0.0.213 and corresponding SDK versions [1][2]. The bug allows a dangling pointer to be reused after it has been freed, leading to memory corruption.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious SWF file that manipulates the tabStops property of a TextFormat object [3]. The attack requires user interaction: the victim must visit a malicious web page or open a malicious file [3]. No authentication or special network position is needed; the attacker simply hosts the SWF and lures the target. The specific sequence involves triggering the use-after-free condition to corrupt memory in a controlled manner.

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current process [2][3]. This can lead to full compromise of the affected system, including potential data disclosure, denial of service, or further escalation [2]. The vulnerability is rated Critical by Adobe and Red Hat, with a CVSS base score of 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) [3].

Mitigation

Adobe released fixed versions: Flash Player 18.0.0.252 and 19.0.0.207 for Windows/OS X, 11.2.202.535 for Linux, and AIR 19.0.0.213 [1][2]. Red Hat provided updated packages to version 11.2.202.548 for RHEL [2]. Gentoo recommends upgrading to >=11.2.202.548 [4]. No workaround is available [4]. Users should apply the latest updates immediately.