Forum Thread: Adobe Flash Player Multiple Vulnerabilities

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Vulnerabilities

See the original Secunia advisory:
Adobe Flash Player Multiple Vulnerabilities

Secunia Adobe Flash Player Multiple Vulnerabilities
Secunia Official 9th Dec, 2015 11:19
Ranking: 0
Posts: 0
User Since: -
System Score: -
Location: Copenhagen, DK
Multiple vulnerabilities have been reported in Adobe Flash Player, where one has an unknown impact and the others can be exploited to bypass certain security restrictions and compromise a user's system.

1) An unspecified error can be exploited to cause a heap-based buffer overflow.

2) Another unspecified error can be exploited to cause a heap-based buffer overflow.

3) An unspecified error can be exploited to corrupt memory.

4) Another unspecified error can be exploited to corrupt memory.

5) Another unspecified error can be exploited to corrupt memory.

6) Another unspecified error can be exploited to corrupt memory.

7) Another unspecified error can be exploited to corrupt memory.

8) Another unspecified error can be exploited to corrupt memory.

9) Another unspecified error can be exploited to corrupt memory.

10) Another unspecified error can be exploited to corrupt memory.

11) Another unspecified error can be exploited to corrupt memory.

12) Another unspecified error can be exploited to corrupt memory.

13) Another unspecified error can be exploited to corrupt memory.

14) Another unspecified error can be exploited to corrupt memory.

15) An unspecified error can be exploited to bypass certain security restrictions.

16) Another unspecified error can be exploited to bypass certain security restrictions.

17) Another unspecified error can be exploited to bypass certain security restrictions.

18) An unspecified error can be exploited to cause a stack-based buffer overflow.

19) A type confusion vulnerability can be exploited to execute arbitrary code.

20) An integer overflow error can be exploited to execute arbitrary code.

21) An unspecified error can be exploited to cause a buffer overflow.

Successful exploitation of the vulnerabilities #1 through #14, #18, and #21 may allow execution of arbitrary code.

22) A use-after-free error can be exploited to execute arbitrary code.

23) Another use-after-free error can be exploited to execute arbitrary code.

24) Another use-after-free error can be exploited to execute arbitrary code.

25) Another use-after-free error can be exploited to execute arbitrary code.

26) Another use-after-free error can be exploited to execute arbitrary code.

27) Another use-after-free error can be exploited to execute arbitrary code.

28) Another use-after-free error can be exploited to execute arbitrary code.

29) Another use-after-free error can be exploited to execute arbitrary code.

30) Another use-after-free error can be exploited to execute arbitrary code.

31) Another use-after-free error can be exploited to execute arbitrary code.

32) Another use-after-free error can be exploited to execute arbitrary code.

33) Another use-after-free error can be exploited to execute arbitrary code.

34) Another use-after-free error can be exploited to execute arbitrary code.

35) Another use-after-free error can be exploited to execute arbitrary code.

36) Another use-after-free error can be exploited to execute arbitrary code.

37) Another use-after-free error can be exploited to execute arbitrary code.

38) Another use-after-free error can be exploited to execute arbitrary code.

39) Another use-after-free error can be exploited to execute arbitrary code.

40) Another use-after-free error can be exploited to execute arbitrary code.

41) Another use-after-free error can be exploited to execute arbitrary code.

42) Another use-after-free error can be exploited to execute arbitrary code.

43) Another use-after-free error can be exploited to execute arbitrary code.

44) Another use-after-free error can be exploited to execute arbitrary code.

45) Another use-after-free error can be exploited to execute arbitrary code.

46) Another use-after-free error can be exploited to execute arbitrary code.

47) Another use-after-free error can be exploited to execute arbitrary code.

48) Another use-after-free error can be exploited to execute arbitrary code.

49) Another use-after-free error can be exploited to execute arbitrary code.

50) Another use-after-free error can be exploited to execute arbitrary code.

51) Another use-after-free error can be exploited to execute arbitrary code.

52) Another use-after-free error can be exploited to execute arbitrary code.

53) Another use-after-free error can be exploited to execute arbitrary code.

54) Another use-after-free error can be exploited to execute arbitrary code.

55) Another use-after-free error can be exploited to execute arbitrary code.

56) Another use-after-free error can be exploited to execute arbitrary code.

57) Another use-after-free error can be exploited to execute arbitrary code.

58) Another use-after-free error can be exploited to execute arbitrary code.

59) Another use-after-free error can be exploited to execute arbitrary code.

60) Another use-after-free error can be exploited to execute arbitrary code.

61) Another use-after-free error can be exploited to execute arbitrary code.

62) Another use-after-free error can be exploited to execute arbitrary code.

63) Another use-after-free error can be exploited to execute arbitrary code.

64) Another use-after-free error can be exploited to execute arbitrary code.

65) Another use-after-free error can be exploited to execute arbitrary code.

66) Another use-after-free error can be exploited to execute arbitrary code.

67) Another use-after-free error can be exploited to execute arbitrary code.

68) Another use-after-free error can be exploited to execute arbitrary code.

69) Another use-after-free error can be exploited to execute arbitrary code.

70) Another use-after-free error can be exploited to execute arbitrary code.

71) Another use-after-free error can be exploited to execute arbitrary code.

72) Another use-after-free error can be exploited to execute arbitrary code.

73) Another use-after-free error can be exploited to execute arbitrary code.

74) Another use-after-free error can be exploited to execute arbitrary code.

75) Another use-after-free error can be exploited to execute arbitrary code.

76) Another use-after-free error can be exploited to execute arbitrary code.

77) Another use-after-free error can be exploited to execute arbitrary code.

78) An unspecified error exists. No further information is currently available.

The vulnerabilities are reported in the following products and versions:
* Adobe Flash Player Extended Support Release versions 18.0.0.261 and prior running on Windows and Macintosh
* Adobe Flash Player for Linux 11.2.202.548 and prior running on Linux

MikePerry RE: Adobe Flash Player Multiple Vulnerabilities
Member 9th Dec, 2015 11:23
Score: -3
Posts: 21
User Since: 24th Feb 2011
System Score: N/A
Location: UK
PSI is showing that the latest version of Flash is 19.0.245 where in fact it is version 20.0...! So PSI is trying to install and older version over a newer one already installed! When I uninstall and reboot, PSI still thinks Flash is present and out of date! Wrong!!
Not acceptable to be pushing an older version of Flash when Adobe are offering the newer one.Not acceptable for PSI to think it is still present after an uninstall. Not acceptable to try to 'update' with a now superceeded version.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Adobe Flash Player Multiple Vulnerabilities
Handling Contributor 9th Dec, 2015 14:11
Score: 12325
Posts: 9,575
User Since: 4th Jan 2009
System Score: N/A
Location: UK
You have not stated what OS you are using or whether you are referring to the update of IE or a third party browser.

I have just tested what you claim using Windows 7 and it all works and shows in PSI if installed correctly. Details here:

https://1ncuig-ch3302.files.1drv.com/y3pGUw32umZiv...

If you are using Windows 8 or 8.1 or 10 then it was updated by Microsoft yesterday and once again scans and shows perfectly using PSI. Updating of these three OS's is the responsibility of Microsoft and requires no action by the user or PSI because it is controlled via Windows Update.

If when using Windows 7, the problem persists after a full PSI scan I would check the path to the vulnerability PSI gives you and manually delete the offending file. Almost certainly it will be an old OCX file which is a common updating problem with Adobe Flash.

I do not use third browsers so cannot help if you have issues with any.

The Support Staff are not active on this Forum. If you cannot find a solution I would contact them by email with screenshots of your evidence on what is a fairly serious matter for a security Company if you are correct.

--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1809 Build 17763.404
16 GB RAM
IE & Edge Only
Was this reply relevant?
+0
-0
MikePerry RE: Adobe Flash Player Multiple Vulnerabilities
Member 9th Dec, 2015 18:51
Score: -3
Posts: 21
User Since: 24th Feb 2011
System Score: N/A
Location: UK
I am using W8.1 64 bit with Firefox. It was only updated for IE by Microsoft. Firefox needs the Adobe application and that is now at version 20.0... but PSI is still showing the latest as 19.0.245 - which is clearly wrong.
Was this reply relevant?
+0
-0