CVE-2015-7653

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player versions before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X, and before 11.2.202.548 on Linux, as well as Adobe AIR before 19.0.0.241. The flaw resides in the MovieClip object's globalToLocal method. By supplying crafted arguments to globalToLocal, an attacker can force a dangling pointer to be reused after the associated memory has been freed [3]. This code path is reachable when the victim interacts with a malicious SWF file [3].

Exploitation

Exploitation requires user interaction: the target must visit a malicious webpage or open a malicious SWF file [3]. An attacker with no prior authentication can host a crafted SWF on a website or deliver it via email. Once the victim loads the content, the attacker's arguments to globalToLocal trigger a use-after-free condition [3]. The exact sequence involves manipulating the arguments to cause a dangling pointer to be reused, which can then be controlled to hijack execution flow [3].

Impact

Successful exploitation allows an attacker to execute arbitrary code within the context of the current process, typically the browser or Flash Player plugin [3]. This can lead to complete compromise of the user's system, including the ability to install programs, view, change, or delete data, or create new accounts with full user rights. The impact is rated as critical, with a CVSS score of 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) [3].

Mitigation

Adobe released patched versions: Flash Player 18.0.0.261, 19.0.0.245, and 11.2.202.548 for Linux; AIR 19.0.0.241. Red Hat issued RHSA-2015-2023 and RHSA-2015-2024 to update the flash-plugin package to 11.2.202.548 [1][2]. Gentoo provided GLSA 201511-02 recommending upgrade to >=11.2.202.548 [4]. Users should apply updates immediately; no workaround is available [4].