PT-2015-2897 · Adobe+3 · Air Sdk & Compiler+6
Published
2015-12-08
·
Updated
2017-02-17
·
CVE-2015-8446
CVSS v2.0
9.3
High
| Vector | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Adobe Flash Player versions prior to 18.0.0.268
Adobe Flash Player versions 19.x
Adobe Flash Player versions 20.x prior to 20.0.0.228
Adobe AIR versions prior to 20.0.0.204
Adobe AIR SDK versions prior to 20.0.0.204
Adobe AIR SDK & Compiler versions prior to 20.0.0.204
Adobe Flash Player version prior to 11.2.202.554 on Linux
Description
The issue is caused by a heap-based buffer overflow in the handling of MP3 files with COMM tags, allowing attackers to execute arbitrary code. This can be achieved through a specially crafted MP3 file. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited.
Recommendations
For Adobe Flash Player versions prior to 18.0.0.268, update to version 18.0.0.268 or later.
For Adobe Flash Player versions 19.x, update to a version that is not affected by this issue.
For Adobe Flash Player versions 20.x prior to 20.0.0.228, update to version 20.0.0.228 or later.
For Adobe AIR versions prior to 20.0.0.204, update to version 20.0.0.204 or later.
For Adobe AIR SDK versions prior to 20.0.0.204, update to version 20.0.0.204 or later.
For Adobe AIR SDK & Compiler versions prior to 20.0.0.204, update to version 20.0.0.204 or later.
For Adobe Flash Player version prior to 11.2.202.554 on Linux, update to version 11.2.202.554 or later.
As a temporary workaround, consider avoiding the use of MP3 files with COMM tags until a patch is available.
Fix
Buffer Overflow
Heap Based Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Air
Air Sdk
Air Sdk & Compiler
Flash Player
Red Hat
Suse