CVE-2015-7659

Vulnerability

A type confusion vulnerability exists in Adobe Flash Player's NetConnection object implementation. The flaw occurs when specific object properties are overridden, triggering an unspecified type confusion condition. This affects Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X, before 11.2.202.548 on Linux, and extends to Adobe AIR before 19.0.0.241, Adobe AIR SDK before 19.0.0.241, and Adobe AIR SDK & Compiler before 19.0.0.241 [1][2][3].

Exploitation

An attacker can exploit this vulnerability by convincing a user to visit a malicious web page or open a crafted SWF file. No authentication or special privileges are required beyond user interaction. The attacker overrides specific properties on the NetConnection object to trigger a type confusion, which then leads to arbitrary code execution [3].

Impact

Successful exploitation allows an attacker to execute arbitrary code within the context of the current process. This could lead to full compromise of the affected system, including potential data theft, installation of malware, or further network propagation. The CVSS score for this vulnerability is 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) [2][3].

Mitigation

Adobe released fixed versions on November 10, 2015: Flash Player 18.0.0.261 and 19.0.0.245 for Windows/OS X, and 11.2.202.548 for Linux; AIR and AIR SDK 19.0.0.241. Users should update to these versions immediately. Red Hat released an updated flash-plugin package (version 11.2.202.548) for Red Hat Enterprise Linux [2]. Gentoo recommends upgrading to >=www-plugins/adobe-flash-11.2.202.548 [4]. No workarounds are available; applying the patch is the only mitigation.