TA15-195A: Adobe Flash and Microsoft Windows Vulnerabilities

["US-CERT" <US-CERT () ncas us-cert gov>]

NCCIC / US-CERT

National Cyber Awareness System:

TA15-195A: Adobe Flash and Microsoft Windows Vulnerabilities [ https://www.us-cert.gov/ncas/alerts/TA15-195A ] 
07/14/2015 07:13 PM EDT 
Original release date: July 14, 2015

Systems Affected

Microsoft Windows systems with Adobe Flash Player installed.

Overview

Used in conjunction, recently disclosed vulnerabilities in Adobe Flash and Microsoft Windows may allow a remote 
attacker to execute arbitrary code with system privileges. Since attackers continue to target and find new 
vulnerabilities in popular, Internet-facing software, updating is not sufficient, and it is important to use exploit 
mitigation and other defensive techniques.

Description

The following vulnerabilities illustrate the need for ongoing mitigation techniques and prioritization of updates for 
highly targeted software:


  * _Adobe Flash use-after-free and memory corruption vulnerabilities (CVE-2015-5119 [ 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5119 ], CVE-2015-5122 [ 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5122 ], CVE-2015-5123 [ 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5123 ]) _Adobe Flash Player contains critical vulnerabilities 
within the ActionScript 3 ByteArray, opaqueBackground and BitmapData classes. Exploitation of these vulnerabilities 
could allow a remote attacker to execute arbitrary code on a vulnerable system. 
  * _Microsoft Windows Adobe Type Manager privilege escalation vulnerability (CVE-2015-2387)_
The Adobe Type Manager module contains a memory corruption vulnerability, which can allow an attacker to obtain system 
privileges on an affected Windows system. The Adobe Type Manager is a Microsoft Windows component present in every 
version since NT 4.0. The primary impact of exploiting this vulnerability is local privilege escalation. 

_Vulnerability Chaining_

By convincing a user to visit a website or open a file containing specially crafted Flash content, an attacker could 
combine any one of the three Adobe Flash vulnerabilities with the Microsoft Windows vulnerability to take full control 
of an affected system.

A common attack vector for exploiting a Flash vulnerability is to entice a user to load Flash content in a web browser, 
and most web browsers have Flash installed and enabled. A second attack vector for Flash vulnerabilities is through a 
file (such as an email attachment) that embeds Flash content. Another technique leverages Object Linking and Embedding 
(OLE) capabilities in Microsoft Office documents to automatically download Flash content from a remote server.

An attacker who is able to execute arbitrary code through the Flash vulnerability could exploit the Adobe Type Manager 
vulnerability to gain elevated system privileges. The Adobe Type Manager vulnerability allows the attacker to bypass 
sandbox defenses (such as those found in Adobe Reader and Google Chrome) and low integrity protections (such as 
Protected Mode Internet Explorer and Protected View for Microsoft Office).

Impact

The Adobe Flash vulnerabilities can allow a remote attacker to execute arbitrary code. Exploitation of the Adobe Type 
Manager vulnerability could then allow the attacker to execute code with system 
https://www.microsoft.com/en-us/download/details.aspx?id=46366privileges.

Solution

Since attackers regularly target widely deployed, Internet-accessible software such as Adobe Flash and Microsoft 
Windows, it is important to prioritize updates for these products to defend against known vulnerabilities.

Since attackers regularly discover new vulnerabilities for which updates do not exist, it is important to enable 
exploit mitigation and other defensive techniques.

_Apply Security Updates_

The Adobe Flash vulnerabilities (CVE-2015-5119 [ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5119 ], 
CVE-2015-5122 [ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5122 ], CVE-2015-5123 [ 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5123 ]) are addressed in Adobe Security Bulletins APSB15-16  [ 
http://helpx.adobe.com/security/products/flash-player/apsb15-16.html ]and APSB15-18 [ 
https://helpx.adobe.com/security/products/flash-player/apsb15-18.html ]. Users are encouraged to review the Bulletins 
and apply the necessary updates.

The Microsoft Windows Adobe Type Manager vulnerability (CVE-2015-2387) is addressed in Microsoft security Bulletin 
MS15-077 [ https://technet.microsoft.com/en-us/library/security/MS15-077 ]. Users are encouraged to review the Bulletin 
and apply the necessary updates.

Additional information regarding the vulnerabilities can be found in Vulnerability Notes VU#561288 [ 
http://www.kb.cert.org/vuls/id/561288 ], VU#338736 [ http://www.kb.cert.org/vuls/id/338736 ], VU#918568 [ 
http://www.kb.cert.org/vuls/id/918568 ], and VU#103336 [ http://www.kb.cert.org/vuls/id/103336 ].

_Limit Flash Content_

Do not run untrusted Flash content. Most web browsers have Flash enabled by default, however, it may be possible to 
enable click-to-play features. For information see  
http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/

_*Use the Microsoft Enhanced Mitigation Experience Toolkit (EMET)*_

EMET can be used to help prevent exploitation of the Flash vulnerabilities. In particular, Attack Surface Reduction 
(ASR) can be configured to help restrict Microsoft Office and Internet Explorer from loading the Flash ActiveX control. 
See the following link for additional information: http://www.microsoft.com/en-us/download/details.aspx?id=46366

References

  * [1] http://www.kb.cert.org/vuls/id/561288 [ http://www.kb.cert.org/vuls/id/561288 ] 
  * [2] http://www.kb.cert.org/vuls/id/103336 [ http://www.kb.cert.org/vuls/id/103336 ] 
  * [3] http://www.kb.cert.org/vuls/id/338736 [ http://www.kb.cert.org/vuls/id/338736 ] 
  * [4] http://www.kb.cert.org/vuls/id/918568 [ http://www.kb.cert.org/vuls/id/918568 ] 
  * [5] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5119 [ 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5119 ] 
  * [6] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5119 [ 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5122 ] 
  * [7] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5123 [ 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5123 ] 
  * [8] http://helpx.adobe.com/security/products/flash-player/apsb15-16.html [ 
http://helpx.adobe.com/security/products/flash-player/apsb15-16.html ] 
  * [9] https://helpx.adobe.com/security/products/flash-player/apsb15-18.html [ 
https://helpx.adobe.com/security/products/flash-player/apsb15-18.html ] 
  * [10] http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser [ 
http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser ] 
  * [11] https://www.microsoft.com/en-us/download/details.aspx?id=46366 [ 
http://www.microsoft.com/en-us/download/details.aspx?id=46366 ] 

Revision History

  * July 14, 2015: Initial Release 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]