23 Security Vulnerabilities Fixed in Adobe Flash Player 19.0.0.185

[Batu69]

Most bugs resolved remote code execution issues

We previously reported about the new release of Adobe Flash Player 19.0.0.185 earlier today, but now Adobe has released the security bulletin accompanying this new version, and the team had been busy patching up no less than 23 critical security bugs.

18 of these 23 vulnerabilities address issues that would have allowed attackers to remotely execute code on the affected machines. These are highly critical bugs, which could easily allow attackers to take over machines by running arbitrary code. These are as follows.

The 18 vulnerabilities that lead to remote code execution are...

CVE-2015-5573 fixed a bug related to a type confusion. CVE-2015-5570, CVE-2015-5574, CVE-2015-5581, CVE-2015-5584, and CVE-2015-6682 fixed use-after-free vulnerabilities.

CVE-2015-5575, CVE-2015-5577, CVE-2015-5578, CVE-2015-5580, CVE-2015-5582, CVE-2015-5588, and CVE-2015-6677 resolved memory corruption vulnerabilities, which indirectly led to remote code execution.

CVE-2015-6676 and CVE-2015-6678 fixed classic buffer overflow issues, while CVE-2015-5567 and CVE-2015-5579 resolved stack corruption vulnerabilities.

CVE-2015-5587 was the last security patch that fixed a remote code execution issue by solving a stack overflow bug.

Other security fixes included with Adobe Flash Player 19.0.0.185

Besides the aforementioned fixes, other security-related bugs were squashed, like CVE-2015-5572, which fixed a security bypass vulnerability that could lead to information disclosure, CVE-2015-5576, which resolved a memory leak issue, and CVE-2015-5568, which improved protection measures against vector length corruptions.

On top of these, there's CVE-2015-6679, which enabled attackers to bypass browser built-in same-origin-policy measures, and leak information about users.

Last but not least, CVE-2015-5571 added extra validation checks in Flash's mitigation system to help it reject malicious content arriving via infected JSONP callback APIs.

Unlike the security vulnerabilities that were found in Flash during the summer via the Hacking Team leak, these ones were properly disclosed to the company, which had time to fix them.

This is a welcome change back to the normal routine at Adobe, which has been put under criticism for not fixing Flash quickly enough to resolve the Hacking Team bugs.

Source

[Cereberus]

also related

http://www.nsaneforums.com/topic/252325-windows-10-security-update-kb3087040-error-0x80004005/?view=getnewpost

there is a failure to install this security patch for windows 10. lots of people are having this issue. i posted a fix in the thread linked above.

[212eta]

I :beg: for the day when

Adobe Flash

will vanish...

[rudrax]

Enough with this creepy flash player. Why no switch HTML5?

[steven36]

Enough with this creepy flash player. Why no switch HTML5?

HTML5 is just as creepy and cant be disabled like flash and its full of exploits too. It like replacing one virus for one that cant be really be controlled. If flash goes away with in a year most exploits will be exploded though HTML5 many already are that why people install stuff like policeman ,no script and canvas block. even very old vulnerabilities are still in HTML5

http://labs.securitycompass.com/web-applications/1024/

[dcs18]

Enough with this creepy flash player. Why no switch HTML5?

Had already made the switch quite long ago — HTML5 renders faster than flash player, for me (the difference is not just perceptible — it is quite obvious.) ^_^

[Cereberus]

Enough with this creepy flash player. Why no switch HTML5?

HTML5 is just as creepy and cant be disabled like flash and its full of exploits too. It like replacing one virus for one that cant be really be controlled. If flash goes away with in a year most exploits will be exploded though HTML5 many already are that why people install stuff like policeman ,no script and canvas block. even very old vulnerabilities are still in HTML5

http://labs.securitycompass.com/web-applications/1024/

are they planning on working on a solution ? and will they fix this ?

what i do know is html5 purportedly can do some of flash functions without necessitating installing any third party plugins. not fully sure if thats a good or bad thing :x

[steven36]

Enough with this creepy flash player. Why no switch HTML5?

HTML5 is just as creepy and cant be disabled like flash and its full of exploits too. It like replacing one virus for one that cant be really be controlled. If flash goes away with in a year most exploits will be exploded though HTML5 many already are that why people install stuff like policeman ,no script and canvas block. even very old vulnerabilities are still in HTML5

http://labs.securitycompass.com/web-applications/1024/

are they planning on working on a solution ? and will they fix this ?

what i do know is html5 purportedly can do some of flash functions without necessitating installing any third party plugins. not fully sure if thats a good or bad thing :x

I use html5 too its nothing to switch too its already built in since Firefox 33 back in 2014 Google enforces HTML5 use on YouTube for Firefox.

http://www.ghacks.net/2014/07/17/google-enforces-html5-youtube-firefox-33-newer/

I use canvas blocker and policeman with it can be kind of be controlled as long as you use 3rd party add-ons but never can it be fully prevented like turning flash off . As far as Flash unless you only visit YouTube and the few other sites that have support for HTML5 you want be able to view videos on the sites that only has flash still unless you turn it on to watch them . its sort like XP as long as Software developers make updates for there products some people will still use it . As long as many video sites only support flash there always be a demand for it.

I keep flash turned off when not using it to watch videos . HTML5 runs all the time so for me its much more of a security risk than flash.

Flash is security risk because people dont know how to use it.

a. Some still dont use adblockers to block ads ran on flash.

b. Some never turn it off or use flashblock

Java i dont have any use for it all anymore. ( I only use Java free products)

so i dont install it anymore .