Overview
Adobe Flash Player contains a vulnerability in the ActionScript 3 BitmapData object, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
Adobe Flash Player versions 9.0 through version 18.0.0.204 contain amemory corruption vulnerability in the AS3 BitmapData class. Proof-of-concept exploit code for this vulnerability is publicly available. Please see Adobe Security Bulletin APSA15-04 for more details about affected Flash versions. |
Impact
An attacker may be able to execute arbitrary code in the context of the user running Flash Player. Attacks typically involve enticing a user to visit a web site containing specially-crafted Flash content, or to open a specially-crafted Microsoft Office document. |
Solution
Apply an update |
Do not run untrusted Flash content |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Temporal | 6.8 | E:POC/RL:U/RC:C |
| Environmental | 6.7 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
- https://helpx.adobe.com/security/products/flash-player/apsb15-18.html
- https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
- http://blog.trendmicro.com/trendlabs-security-intelligence/new-zero-day-vulnerability-cve-2015-5123-in-adobe-flash-emerges-from-hacking-team-leak
- http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/display/BitmapData.html
- http://www.microsoft.com/emet
Acknowledgements
This vulnerability was reported by TrendMicro, based on the HackingTeam leak.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2015-5123 |
| Date Public: | 2015-07-05 |
| Date First Published: | 2015-07-12 |
| Date Last Updated: | 2015-07-14 15:02 UTC |
| Document Revision: | 20 |