(cache) Adobe Security Bulletin

Release date: August 11, 2015

Vulnerability identifier: APSB15-19

CVE number: CVE-2015-3107, CVE-2015-5124, CVE-2015-5125, CVE-2015-5127, CVE-2015-5128, CVE-2015-5129, CVE-2015-5130, CVE-2015-5131, CVE-2015-5132, CVE-2015-5133, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5541, CVE-2015-5544, CVE-2015-5545, CVE-2015-5546, CVE-2015-5547, CVE-2015-5548, CVE-2015-5549, CVE-2015-5550, CVE-2015-5551, CVE-2015-5552, CVE-2015-5553, CVE-2015-5554, CVE-2015-5555, CVE-2015-5556, CVE-2015-5557, CVE-2015-5558, CVE-2015-5559, CVE-2015-5560, CVE-2015-5561, CVE-2015-5562, CVE-2015-5563, CVE-2015-5564

Platform: All Platforms

Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Product	Affected Versions	Platform
Adobe Flash Player Desktop Runtime	18.0.0.209 and earlier	Windows and Macintosh
Adobe Flash Player Extended Support Release	13.0.0.309 and earlier	Windows and Macintosh
Adobe Flash Player for Google Chrome	18.0.0.209 and earlier	Windows, Macintosh and Linux
Adobe Flash Player for Microsoft Edge and Internet Explorer 11	18.0.0.209 and earlier	Windows 10
Adobe Flash Player for Internet Explorer 10 and 11	18.0.0.209 and earlier	Windows 8.0 and 8.1
Adobe Flash Player for Linux	11.2.202.491 and earlier	Linux
AIR Desktop Runtime	18.0.0.180 and earlier	Windows and Macintosh
AIR SDK	18.0.0.180 and earlier	Windows, Macintosh, Android and iOS
AIR SDK & Compiler	18.0.0.180 and earlier	Windows, Macintosh, Android and iOS

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product	Updated Versions	Platform	Priority	Availability
Adobe Flash Player Desktop Runtime	18.0.0.232	Windows and Macintosh	1	Flash Player Download Center Flash Player Distribution
Adobe Flash Player Extended Support Release [2]	18.0.0.232	Windows and Macintosh	1	Extended Support
Adobe Flash Player for Google Chrome	18.0.0.232	Windows and Macintosh	1	Google Chrome Releases
Adobe Flash Player for Google Chrome	18.0.0.233	Linux and Chrome OS	3	Google Chrome Releases
Adobe Flash Player for Microsoft Edge and Internet Explorer 11	18.0.0.232	Windows 10	1	Microsoft Security Advisory
Adobe Flash Player for Internet Explorer 10 and 11	18.0.0.232	Windows 8.0 and 8.1	1	Microsoft Security Advisory
Adobe Flash Player for Linux	11.2.202.508	Linux	3	Flash Player Download Center
AIR Desktop Runtime	18.0.0.199	Windows and Macintosh	3	AIR Download Center
AIR SDK	18.0.0.199	Windows, Macintosh, Android and iOS	3	AIR SDK Download
AIR SDK & Compiler	18.0.0.199	Windows, Macintosh, Android and iOS	3	AIR SDK Download

Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player 18.0.0.232 by visiting the Adobe Flash Player Download Center or via the update mechanism within the product when prompted [1].
Adobe recommends users of the Adobe Flash Player Extended Support Release [2] update to version 18.0.0.232 by visiting http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.
Adobe recommends users of the Adobe Flash Player for Linux update to Adobe Flash Player 11.2.202.508 by visiting the Adobe Flash Player Download Center.
Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 18.0.0.232 on Windows and Macintosh, and version 18.0.0.233 for Linux and Chrome OS.
Adobe Flash Player installed with Microsoft Edge for Windows 10 will be automatically updated to the latest version, which will include Adobe Flash Player 18.0.0.232.
Adobe Flash Player installed with Internet Explorer 10 and 11 for Windows 8.0 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 18.0.0.232.
Adobe recommends users of the AIR desktop runtime, AIR SDK and AIR SDK & Compiler update to version 18.0.0.199 by visiting the AIR download center or the AIR developer center.
Please visit the Flash Player Help page for assistance in installing Flash Player.

[1] Users of Flash Player 11.2.x or later for Windows, or Flash Player 11.3.x or later for Macintosh, who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted.

[2] Note: Beginning August 11, 2015, Adobe will update the version of the "Extended Support Release" from Flash Player 13 to Flash Player 18 for Macintosh and Windows. To stay current with all available security updates, users must install version 18 of the Flash Player Extended Support Release or update to the most recent available version. For full details, please see this blog post: http://blogs.adobe.com/flashplayer/2015/05/upcoming-changes-to-flash-players-extended-support-release-2.html

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2015-5128, CVE-2015-5554, CVE-2015-5555, CVE-2015-5558, CVE-2015-5562).
These updates include further hardening to a mitigation introduced in version 18.0.0.209 to defend against vector length corruptions (CVE-2015-5125).
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-5550, CVE-2015-5551, CVE-2015-3107, CVE-2015-5556, CVE-2015-5130, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5557, CVE-2015-5559, CVE-2015-5127, CVE-2015-5563, CVE-2015-5561, CVE-2015-5124, CVE-2015-5564).
These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-5129, CVE-2015-5541).
These updates resolve buffer overflow vulnerabilities that could lead to code execution (CVE-2015-5131, CVE-2015-5132, CVE-2015-5133).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-5544, CVE-2015-5545, CVE-2015-5546, CVE-2015-5547, CVE-2015-5548, CVE-2015-5549, CVE-2015-5552, CVE-2015-5553).
These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2015-5560).

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

Kai Lu of Fortinet's FortiGuard Labs (CVE-2015-5129)
Chris Evans, Ben Hawkes and Mateusz Jurczyk of Google Project Zero (CVE-2015-5131, CVE-2015-5132, CVE-2015-5133, CVE-2015-5544, CVE-2015-5545, CVE-2015-5546, CVE-2015-5547, CVE-2015-5548)
Wang Wei of the Alibaba Security Research Team (CVE-2015-5124)
Natalie Silvanovich of Google Project Zero (CVE-2015-5550, CVE-2015-5551, CVE-2015-3107, CVE-2015-5554, CVE-2015-5555, CVE-2015-5556, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5557, CVE-2015-5558, CVE-2015-5562, CVE-2015-5560, CVE-2015-5564)
Chris Evans of Google Project Zero (CVE-2015-5549, CVE-2015-5125)
bilou, working with the Chromium Vulnerability Rewards Program (CVE-2015-5128, CVE-2015-5563, CVE-2015-5561, CVE-2015-5130, CVE-2015-5127)
Yuki Chen of Qihoo 360 Vulcan Team (CVE-2015-5552, CVE-2015-5553, CVE-2015-5559)
instruder of the Alibaba Security Research Team (CVE-2015-5541)

August 11, 2015: Updated the table of affected versions to include Adobe Flash Player for Microsoft Edge and Internet Explorer 11 on Windows 10. Also, added a reference to CVE-2015-5564, which was unintentionally omitted from the bulletin.

Adobe Security Bulletin

Security updates available for Adobe Flash Player

Summary

Affected Versions

Solution

Vulnerability Details

Acknowledgments

Revisions