Adobe Flash Player – true zero-day vulnerability CVE-2015-7645

Flash_Player_0-Day_VulnerabilityAdobe still keeps a tradition to publish information about new zero-day vulnerabilities affecting their Flash Player (now

What is really interesting – there is no patch yet, and this vulnerability has been exploited in the wild! So it is yet another good reason to disable Flash player in your browser (if you did not disable it already).

Security Advisory: APSA15-05

Details about know exploitation (spear phishing targets Ministries of Foreign Affairs) as part of Operation Pawn Storm:
New zero-day exploit hits fully patched Adobe Flash


Trend Micro analyzed the vulnerability and made a PoC code. Again it is poor technique how Flash compiler handles language semantics and allows to bypass internal security controls:
Latest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques

In my opinion described technique exploits some fundamentals weaknesses of Active Script and will not be easy to fix the root cause.

Leave a comment