Bugzilla – Bug 950474
VUL-0: CVE-2015-7645: flash-player: critical vulnerability affecting 11.2.202.535 used in Pawn Storm (APSA15-05)
Last modified: 2016-04-27 14:42:45 UTC
https://helpx.adobe.com/security/products/flash-player/apsa15-05.html Security Advisory for Adobe Flash Player Release date (of advisory): October 14, 2015 Vulnerability identifier: APSA15-05 CVE number: CVE-2015-7645 Platforms: Windows, Macintosh and Linux Summary: A critical vulnerability (CVE-2015-7645) has been identified in Adobe Flash Player 19.0.0.207 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks. Adobe expects to make an update available during the week of October 19. Affected software versions: Adobe Flash Player 19.0.0.207 and earlier versions for Windows and Macintosh Adobe Flash Player Extended Support Release version 18.0.0.252 and earlier 18.x versions Adobe Flash Player 11.2.202.535 and earlier 11.x versions for Linux
IT media coverage is rolling, due to the combination of a previous release, researcher press release, vendor confirmation and active exploitation in targeted attacks: http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/ http://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-patched-adobe-flash/ http://www.zdnet.com/article/all-flash-versions-vulnerable-to-remote-control-attack-until-next-week/ http://www.theregister.co.uk/2015/10/15/adobe_patch_for_critical_flash_flaw/ http://www.theguardian.com/technology/2015/oct/14/flash-hit-by-another-zero-day-vulnerability http://www.heise.de/security/meldung/Nach-Patchday-Flash-ueber-neue-Sicherheitsluecke-immer-noch-angreifbar-2846807.html http://www.golem.de/news/ein-patch-und-ein-zero-day-adobe-kommt-mit-den-updates-nicht-hinterher-1510-116911.html
The update is not yet available. https://get.adobe.com/cz/flashplayer/ still points to 11.2.202.535, which is vulnerable according to APSA15-05: Affected software versions Adobe Flash Player 11.2.202.535 and earlier 11.x versions for Linux
Update expected to be available week of October 19th.
Submitted 11.2.202.540
This is an autogenerated message for OBS integration: This bug (950474) was mentioned in https://build.opensuse.org/request/show/339264 Factory:NonFree / flash-player https://build.opensuse.org/request/show/339265 Leap:42.1:NonFree / flash-player https://build.opensuse.org/request/show/339266 13.1:NonFree+13.2:NonFree+Leap:42.1:NonFree / flash-player.openSUSE_Leap_42.1+flash-player https://build.opensuse.org/request/show/339267 Factory / flash-player
openSUSE-SU-2015:1768-1: An update that fixes one vulnerability is now available. Category: security (critical) Bug References: 950474 CVE References: CVE-2015-7645 Sources used: openSUSE 13.2:NonFree (src): flash-player-11.2.202.540-2.76.1 openSUSE 13.1:NonFree (src): flash-player-11.2.202.540-141.1
SUSE-SU-2015:1770-1: An update that fixes one vulnerability is now available. Category: security (critical) Bug References: 950474 CVE References: CVE-2015-7645 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): flash-player-11.2.202.540-108.1 SUSE Linux Enterprise Desktop 12 (src): flash-player-11.2.202.540-108.1
SUSE-SU-2015:1771-1: An update that fixes one vulnerability is now available. Category: security (critical) Bug References: 950474 CVE References: CVE-2015-7645 Sources used: SUSE Linux Enterprise Desktop 11-SP4 (src): flash-player-11.2.202.540-0.23.1 SUSE Linux Enterprise Desktop 11-SP3 (src): flash-player-11.2.202.540-0.23.1
openSUSE-SU-2015:1781-1: An update that fixes 71 vulnerabilities is now available. Category: security (critical) Bug References: 941239,946880,950169,950474 CVE References: CVE-2015-3107,CVE-2015-5124,CVE-2015-5125,CVE-2015-5127,CVE-2015-5128,CVE-2015-5129,CVE-2015-5130,CVE-2015-5131,CVE-2015-5132,CVE-2015-5133,CVE-2015-5134,CVE-2015-5539,CVE-2015-5540,CVE-2015-5541,CVE-2015-5544,CVE-2015-5545,CVE-2015-5546,CVE-2015-5547,CVE-2015-5548,CVE-2015-5549,CVE-2015-5550,CVE-2015-5551,CVE-2015-5552,CVE-2015-5553,CVE-2015-5554,CVE-2015-5555,CVE-2015-5556,CVE-2015-5557,CVE-2015-5558,CVE-2015-5559,CVE-2015-5560,CVE-2015-5561,CVE-2015-5562,CVE-2015-5563,CVE-2015-5567,CVE-2015-5568,CVE-2015-5569,CVE-2015-5570,CVE-2015-5571,CVE-2015-5572,CVE-2015-5573,CVE-2015-5574,CVE-2015-5575,CVE-2015-5576,CVE-2015-5577,CVE-2015-5578,CVE-2015-5579,CVE-2015-5580,CVE-2015-5581,CVE-2015-5582,CVE-2015-5584,CVE-2015-5587,CVE-2015-5588,CVE-2015-6676,CVE-2015-6677,CVE-2015-6678,CVE-2015-6679,CVE-2015-6682,CVE-2015-7625,CVE-2015-7626,CVE-2015-7627,CVE-2015-7628,CVE-2015-7629,CVE-2015-7630,CVE-2015-7631,CVE-2015-7632,CVE-2015-7633,CVE-2015-7634,CVE-2015-7643,CVE-2015-7644,CVE-2015-7645 Sources used: openSUSE Evergreen 11.4 (src): flash-player-11.2.202.540-176.1