CVE-2015-8419

Vulnerability

Adobe Flash Player versions prior to 18.0.0.268 on Windows and OS X, 20.x before 20.0.0.228, and 11.x before 11.2.202.554 on Linux contain a memory corruption vulnerability. Adobe AIR and SDK versions before 20.0.0.204 are also affected. The issue can be triggered by processing crafted SWF content via unspecified vectors, without requiring any special configuration beyond the use of a vulnerable Flash Player instance [1].

Exploitation

An attacker can deliver a malicious SWF file through a web page or other means that cause the victim’s Flash Player to load the content. No authentication is needed, and the attacker only needs to convince the user to visit the crafted content. The memory corruption occurs during the processing of the SWF data, leading to potentially exploitable conditions [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the user running the Flash Player process, or to cause a denial of service through memory corruption. This could lead to full system compromise depending on the user’s privileges. Additionally, information disclosure or security bypass may be possible [1].

Mitigation

Adobe released fixed versions: Flash Player 18.0.0.268, 20.0.0.228, and 11.2.202.559 for Linux; AIR 20.0.0.204 for Windows and OS X; all released by December 8, 2015. Gentoo users were advised to upgrade to at least www-plugins/adobe-flash-11.2.202.559 [1]. No workaround is available; upgrading to the patched version is the only resolution.