Security Alert (A15-10-02): Multiple Vulnerabilities in Adobe Flash Player and Adobe Reader/Acrobat

Description:

Security updates are released for Adobe Flash Player and Adobe Reader/Acrobat to address multiple vulnerabilities caused by various buffer overflow, use-after-free error, memory leak, memory corruption, security bypass and problems in Flash broker and Javascript API. To successfully exploit the vulnerabilities, a remote attacker could entice a targeted user to open a specially crafted PDF file, web page, Flash file, or document that supports embedded Flash content.

Affected Systems:

• Adobe Flash Player for Windows and Macintosh 18.0.0.241, 19.0.0.185 and earlier versions
• Adobe Flash Player for Google Chrome 19.0.0.185 and earlier versions
• Adobe Flash Player for Linux 11.2.202.521 and earlier versions
• AIR Desktop Runtime, SDK 19.0.0.190 and earlier versions
• AIR SDK & Complier 19.0.0.190 and earlier versions
• Adobe Acrobat DC/Acrobat Reader DC Continuous 2015.008.20082 and earlier versions
• Adobe Acrobat DC/Acrobat Reader DC Classic 2015.006.30060 and earlier versions
• Adobe Reader/Acrobat XI 11.0.12 and earlier 11.x versions
• Adobe Reader/Acrobat X 10.1.15 and earlier 10.x versions

Impact:

A successful attack could lead to arbitrary code execution, information disclosure, bypass of security restrictions or potentially take control of the affected system.

Recommendation:

Upgrade Adobe Flash Player to the following versions to address the issues. The upgrade can be obtained by using the auto-update mechanism or by downloading at the following URLs:

• Adobe Flash Player 18.0.0.252 & 19.0.0.207 for Windows and Macintosh
  http://www.adobe.com/go/getflash
  http://www.adobe.com/products/players/flash-player-distribution.html
  http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html
  
  
• Adobe Flash Player 19.0.0.207 for Google Chrome
  http://googlechromereleases.blogspot.com/
  
  
• Adobe Flash Player 19.0.0.207 for Microsoft Edge and Internet Explorer 10 & 11
  https://support.microsoft.com/en-hk/kb/3099406
  
  
• Adobe Flash Player 11.2.202.535 for Linux
  http://www.adobe.com/go/getflash
  
  
• AIR Desktop Runtime 19.0.0.213
  http://get.adobe.com/air/
  
  
• AIR SDK, SDK & Complier 19.0.0.213
  http://www.adobe.com/devnet/air/air-sdk-download.html
  
  
• AIR for Android 19.0.0.213
  https://play.google.com/store/apps/details?id=com.adobe.air
  
  
• Adobe Acrobat XI (11.0.13) and X (10.1.16), Acrobat DC Continuous 2015.009.20069, Classic 2015.006.30094
  http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
  http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh
  
  
• Adobe Reader XI (11.0.13) and X (10.1.16), Acrobat Reader DC Continuous 2015.009.20069, Classic 2015.006.30094
  http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
  http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
  
  

If you have multiple browsers, you are required to perform the Adobe Flash Player upgrade for each browser, the Flash Player version can be checked at http://www.adobe.com/software/flash/about/

More Information:

https://helpx.adobe.com/security/products/flash-player/apsb15-25.html
https://helpx.adobe.com/security/products/acrobat/apsb15-24.html
https://technet.microsoft.com/library/security/2755801
https://www.hkcert.org/my_url/en/alert/15101407
https://www.hkcert.org/my_url/en/alert/15101408
https://www.us-cert.gov/ncas/current-activity/2015/10/13/Adobe-Releases-Security-Updates-Reader-and-Acrobat
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5583
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5586
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6683 (to CVE-2015-6725)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7614 (to CVE-2015-7634)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7643 (to CVE-2015-7644)