CVE-2015-8045

Vulnerability

A memory corruption vulnerability exists in Adobe Flash Player before 18.0.0.268, 19.x and 20.x before 20.0.0.228 on Windows and OS X, and before 11.2.202.554 on Linux, as well as Adobe AIR before 20.0.0.204. The vulnerability is triggered via unspecified vectors, potentially involving crafted SWF content. This issue is one of multiple memory corruption flaws addressed in the same update [1].

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a malicious Flash file, typically through a web page or email attachment. No additional privileges are required; the attack can be performed remotely. The exact exploitation steps are not disclosed, but the flaw allows arbitrary code execution in the context of the user running Flash [1].

Impact

Successful exploitation can lead to arbitrary code execution, enabling the attacker to install programs, view, change, or delete data, or create new accounts with full user rights. Alternatively, an attacker can cause a denial of service (application crash). The impact is limited to the privileges of the affected user [1].

Mitigation

Adobe has released updated versions: Flash Player 18.0.0.268, 20.0.0.228, and 11.2.202.559, and AIR 20.0.0.204. Users should upgrade immediately. The Gentoo advisory recommends updating to at least www-plugins/adobe-flash-11.2.202.559. No workaround is available [1].