Personal blog of Alex Muratov

Adobe Flash Player – true zero-day vulnerability CVE-2015-7645

Posted on October 15, 2015 | in Hacking, Malware | by

Flash_Player_0-Day_VulnerabilityAdobe still keeps a tradition to publish information about new zero-day vulnerabilities affecting their Flash Player (now 19.0.0.207).

What is really interesting – there is no patch yet, and this vulnerability has been exploited in the wild! So it is yet another good reason to disable Flash player in your browser (if you did not disable it already).

Security Advisory: APSA15-05

Details about know exploitation (spear phishing targets Ministries of Foreign Affairs) as part of Operation Pawn Storm:
New zero-day exploit hits fully patched Adobe Flash

Update:

Trend Micro analyzed the vulnerability and made a PoC code. Again it is poor technique how Flash compiler handles language semantics and allows to bypass internal security controls:
Latest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques

In my opinion described technique exploits some fundamentals weaknesses of Active Script and will not be easy to fix the root cause.

Leave a Reply

BOINC

BOINC

Ads

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Calendar

October 2015
M T W T F S S
« Aug   Jan »
 1234
567891011
12131415161718
19202122232425
262728293031  
%d bloggers like this: