NCCIC / US-CERT   
      
   National Cyber Awareness System:   
      
   TA15-195A: Adobe Flash and Microsoft Windows Vulnerabilities   
   07/14/2015 07:13 PM EDT   
      
      
   Original release date: July 14, 2015   
      
   Systems Affected   
   Microsoft Windows systems with Adobe Flash Player installed.   
      
   Overview   
   Used in conjunction, recently disclosed vulnerabilities in Adobe Flash and   
   Microsoft Windows may allow a remote attacker to execute arbitrary code with   
   system privileges. Since attackers continue to target and find new   
   vulnerabilities in popular, Internet-facing software, updating is not   
   sufficient, and it is important to use exploit mitigation and other defensive   
   techniques.   
      
   Description   
   The following vulnerabilities illustrate the need for ongoing mitigation   
   techniques and prioritization of updates for highly targeted software:   
      
   Adobe Flash use-after-free and memory corruption vulnerabilities   
   (CVE-2015-5119, CVE-2015-5122, CVE-2015-5123) Adobe Flash Player contains   
   critical vulnerabilities within the ActionScript 3 ByteArray, opaqueBackground   
   and BitmapData classes. Exploitation of these vulnerabilities could allow a   
   remote attacker to execute arbitrary code on a vulnerable system.   
   Microsoft Windows Adobe Type Manager privilege escalation vulnerability   
   (CVE-2015-2387)   
   The Adobe Type Manager module contains a memory corruption vulnerability,   
   which can allow an attacker to obtain system privileges on an affected Windows   
   system. The Adobe Type Manager is a Microsoft Windows component present in   
   every version since NT 4.0. The primary impact of exploiting this   
   vulnerability is local privilege escalation.   
   Vulnerability Chaining   
   By convincing a user to visit a website or open a file containing specially   
   crafted Flash content, an attacker could combine any one of the three Adobe   
   Flash vulnerabilities with the Microsoft Windows vulnerability to take full   
   control of an affected system.   
      
   A common attack vector for exploiting a Flash vulnerability is to entice a   
   user to load Flash content in a web browser, and most web browsers have Flash   
   installed and enabled. A second attack vector for Flash vulnerabilities is   
   through a file (such as an email attachment) that embeds Flash content.   
   Another technique leverages Object Linking and Embedding (OLE) capabilities in   
   Microsoft Office documents to automatically download Flash content from a   
   remote server.   
      
   An attacker who is able to execute arbitrary code through the Flash   
   vulnerability could exploit the Adobe Type Manager vulnerability to gain   
   elevated system privileges. The Adobe Type Manager vulnerability allows the   
   attacker to bypass sandbox defenses (such as those found in Adobe Reader and   
   Google Chrome) and low integrity protections (such as Protected Mode Internet   
   Explorer and Protected View for Microsoft Office).   
      
   Impact   
   The Adobe Flash vulnerabilities can allow a remote attacker to execute   
   arbitrary code. Exploitation of the Adobe Type Manager vulnerability could   
   then allow the attacker to execute code with system https://www.   
   icrosoft.com/en-us/download/details.aspx?id=46366privileges.   
      
   Solution   
   Since attackers regularly target widely deployed, Internet-accessible software   
   such as Adobe Flash and Microsoft Windows, it is important to prioritize   
   updates for these products to defend against known vulnerabilities.   
      
   Since attackers regularly discover new vulnerabilities for which updates do   
   not exist, it is important to enable exploit mitigation and other defensive   
   techniques.   
      
   Apply Security Updates   
   The Adobe Flash vulnerabilities (CVE-2015-5119, CVE-2015-5122, CVE-2015-5123)   
   are addressed in Adobe Security Bulletins APSB15-16 and APSB15-18. Users are   
   encouraged to review the Bulletins and apply the necessary updates.   
      
   The Microsoft Windows Adobe Type Manager vulnerability (CVE-2015-2387) is   
   addressed in Microsoft security Bulletin MS15-077. Users are encouraged to   
   review the Bulletin and apply the necessary updates.   
      
   Additional information regarding the vulnerabilities can be found in   
   Vulnerability Notes VU#561288, VU#338736, VU#918568, and VU#103336.   
      
   Limit Flash Content   
   Do not run untrusted Flash content. Most web browsers have Flash enabled by   
   default, however, it may be possible to enable click-to-play features. For   
   information see http://www.howtogeek.com/188059/how-to-enable-cl   
   ck-to-play-plugins-in-every-we b-browser/   
      
   Use the Microsoft Enhanced Mitigation Experience Toolkit (EMET)   
   EMET can be used to help prevent exploitation of the Flash vulnerabilities. In   
   particular, Attack Surface Reduction (ASR) can be configured to help restrict   
   Microsoft Office and Internet Explorer from loading the Flash ActiveX control.   
   See the following link for additional information: http://www.mi   
   rosoft.com/en-us/download/details.aspx?id=46366   
      
   References   
   [1] http://www.kb.cert.org/vuls/id/561288   
   [2] http://www.kb.cert.org/vuls/id/103336   
   [3] http://www.kb.cert.org/vuls/id/338736   
   [4] http://www.kb.cert.org/vuls/id/918568   
   [5] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5119   
   [6] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5119   
   [7] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5123   
   [8] http://helpx.adobe.com/security/products/flash-player/apsb15-16.html   
   [9] https://helpx.adobe.com/security/products/flash-player/apsb15-18.html   
   [10] http://www.howtogeek.com/188059/how-to-enable-click-to-play   
   plugins-in-every-we b-browser   
   [11] https://www.microsoft.com/en-us/download/details.aspx?id=46366   
   Revision History   
   July 14, 2015: Initial Release   
      
   ----------------------------------------------------------------   
   -------------- -   
      
   This product is provided subject to this Notification and this Privacy & Use   
   policy.   
      
      
   ----------------------------------------------------------------   
   -------------- -   
   A copy of this publication is available at www.us-cert.gov. If you need help   
   or have questions, please send an email to info@us-cert.gov. Do not reply to   
   this message since this email was sent from a notification-only address that   
   is not monitored. To ensure you receive future US-CERT products, please add   
   US-CERT@ncas.us-cert.gov to your address book.   
   OTHER RESOURCES:   
   Contact Us | Security Publications | Alerts and Tips | Related Resources   
   STAY CONNECTED:   
   Sign up for email updates   
      
   SUBSCRIBER SERVICES:   
   Manage Preferences  |  Unsubscribe  |  Help   
      
      
   ----------------------------------------------------------------   
   -------------- -   
   This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf   
   of: United States Computer Emergency Readiness Team (US-CERT)  245 Murray Lane   
   SW Bldg 410  Washington, DC 20598  (888) 282-0870 Powered by GovDelivery   
      
      
      
   --   
   Guardien Fide   :^)   
      
      Ben  aka cMech  Web: http://cmech.dynip.com   
                    Email: fido4cmech(at)lusfiber.net   
                 Home page: http://cmech.dynip.com/homepage/   
              WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1   
      
   --- GoldED+/W32-MSVC   
    * Origin: FIDONet - The Positronium Repository (1:393/68)