CVE-2015-8443

Vulnerability

Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X, and before 11.2.202.554 on Linux, along with Adobe AIR before 20.0.0.204 and Adobe AIR SDK before 20.0.0.204, are susceptible to a memory corruption vulnerability that can be triggered via unspecified vectors [1]. The bug affects the rendering of SWF files, commonly used for interactive web content, and does not require any special configuration beyond having a vulnerable version installed.

Exploitation

An attacker can exploit this vulnerability by delivering a crafted SWF file to a target user, typically through a web page or email attachment. No authentication or special network position is needed; the user simply needs to open the malicious file or visit a compromised website hosting it. The exact exploitation steps involve crafting SWF content that triggers the memory corruption when processed by the Flash Player or AIR runtime [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code within the context of the vulnerable application, potentially leading to full system compromise. Alternatively, the attacker could cause a denial of service condition through memory corruption, crashing the application or the underlying system. The attack can also lead to sensitive information disclosure or security bypass, depending on the crafted input [1].

Mitigation

Adobe released fixed versions: Flash Player 20.0.0.228 (Windows/OS X), 11.2.202.559 (Linux), and AIR 20.0.0.204. Users should upgrade to these versions or later. The Gentoo advisory [1] recommends updating to >=www-plugins/adobe-flash-11.2.202.559. No workarounds are available if patching is not possible; disabling Flash content in the browser or uninstalling the player can reduce risk, but no official workaround is disclosed.