SUSE Linux update for flash-player



Published: 2015-07-09
Risk Critical
Patch available YES
Number of vulnerabilities 35
CVE-ID CVE-2014-0578
CVE-2015-3114
CVE-2015-3115
CVE-2015-3116
CVE-2015-3117
CVE-2015-3118
CVE-2015-3119
CVE-2015-3120
CVE-2015-3121
CVE-2015-3122
CVE-2015-3123
CVE-2015-3124
CVE-2015-3125
CVE-2015-3126
CVE-2015-3127
CVE-2015-3128
CVE-2015-3129
CVE-2015-3130
CVE-2015-3131
CVE-2015-3132
CVE-2015-3133
CVE-2015-3134
CVE-2015-3135
CVE-2015-3136
CVE-2015-3137
CVE-2015-4428
CVE-2015-4429
CVE-2015-4430
CVE-2015-4431
CVE-2015-4432
CVE-2015-4433
CVE-2015-5116
CVE-2015-5117
CVE-2015-5118
CVE-2015-5119
CWE-ID CWE-284
CWE-200
CWE-119
CWE-843
CWE-476
Exploitation vector Network
Public exploit Public exploit code for vulnerability #6 is available.
Public exploit code for vulnerability #12 is available.
Public exploit code for vulnerability #16 is available.
Public exploit code for vulnerability #22 is available.
Public exploit code for vulnerability #25 is available.
Public exploit code for vulnerability #28 is available.
Public exploit code for vulnerability #30 is available.
Public exploit code for vulnerability #32 is available.
Public exploit code for vulnerability #34 is available.
Vulnerability #35 is being exploited in the wild.
Vulnerable software
Subscribe 		Adobe AIR
Client/Desktop applications / Multimedia software

Adobe Flash Player Extended Support Release
Client/Desktop applications / Multimedia software

Adobe Flash Player for Linux
Client/Desktop applications / Multimedia software

Adobe Flash Player
Client/Desktop applications / Plugins for browsers, ActiveX components

Vendor Adobe

Security Bulletin

This security bulletin contains information about 35 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU5473

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2014-0578

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper access control. A remote attacker can bypass the same-origin-policy and gain access to important data.

Successful exploitation of this vulnerability results in information disclosure on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.535

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU5474

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3114

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper access control. A remote attacker can bypass security limitations and gain access to important data.

Successful exploitation of this vulnerability results in information disclosure on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Information disclosure

EUVDB-ID: #VU5475

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3115

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper access control. A remote attacker can bypass the same-origin-policy and gain access to important data.

Successful exploitation of this vulnerability results in information disclosure on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Information disclosure

EUVDB-ID: #VU5476

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3116

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper access control. A remote attacker can bypass the same-origin-policy and gain access to important data.

Successful exploitation of this vulnerability results in information disclosure on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Memory corruption

EUVDB-ID: #VU5482

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3117

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Use-after-free error

EUVDB-ID: #VU5493

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2015-3118

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

7) Type confusion

EUVDB-ID: #VU5488

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3119

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Type confusion

EUVDB-ID: #VU5489

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3120

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Type confusion

EUVDB-ID: #VU5490

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3121

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Type confusion

EUVDB-ID: #VU5491

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3122

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Memory corruption

EUVDB-ID: #VU5483

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3123

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Use-after-free error

EUVDB-ID: #VU5494

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2015-3124

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

13) Information disclosure

EUVDB-ID: #VU5477

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3125

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper access control. A remote attacker can bypass the same-origin-policy and gain access to important data.

Successful exploitation of this vulnerability results in information disclosure on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Null pointer dereference

EUVDB-ID: #VU5471

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3126

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS conditions on the target system.

The weakness exists due to NULL pointer dereference. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Use-after-free error

EUVDB-ID: #VU5496

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3127

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Use-after-free error

EUVDB-ID: #VU5497

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2015-3128

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

17) Use-after-free error

EUVDB-ID: #VU5498

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3129

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Memory corruption

EUVDB-ID: #VU5484

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3130

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Use-after-free error

EUVDB-ID: #VU5499

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3131

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Use-after-free error

EUVDB-ID: #VU5500

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3132

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Memory corruption

EUVDB-ID: #VU5485

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3133

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Memory corruption

EUVDB-ID: #VU5486

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2015-3134

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

23) Heap-based buffer overflow

EUVDB-ID: #VU5479

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3135

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Use-after-free error

EUVDB-ID: #VU5501

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3136

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Use-after-free error

EUVDB-ID: #VU5502

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2015-3137

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

26) Use-after-free error

EUVDB-ID: #VU5503

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-4428

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Null pointer dereference

EUVDB-ID: #VU5472

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-4429

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS conditions on the target system.

The weakness exists due to NULL pointer dereference. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Use-after-free error

EUVDB-ID: #VU5504

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2015-4430

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

29) Memory corruption

EUVDB-ID: #VU5487

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-4431

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Heap-based buffer overflow

EUVDB-ID: #VU5480

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2015-4432

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.180

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

31) Type confusion

EUVDB-ID: #VU5492

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-4433

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Information disclosure

EUVDB-ID: #VU5478

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2015-5116

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: Yes

Description

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper access control. A remote attacker can bypass the same-origin-policy and gain access to important data.

Successful exploitation of this vulnerability results in information disclosure on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

33) Use-after-free error

EUVDB-ID: #VU5495

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-5117

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Heap-based buffer overflow

EUVDB-ID: #VU5481

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2015-5118

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.481

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

35) Use-after-free error

EUVDB-ID: #VU5505

Risk: Critical

CVSSv3.1: 9.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2015-5119

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of  the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player for Linux: 11.2.202.468 - 11.2.202.481

Adobe Flash Player Extended Support Release: 13.0.0.296 - 13.0.0.302

Adobe Flash Player: 18.0.0 - 18.0.0.161

External links

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###