Zenith Live is coming to Europe in October. Join us! Learn More
Zenith Live is coming to Europe in October. Join us!
Learn More

Zero trust security

Make it possible

Your Mission

 

Security Advisory - August 14, 2018

Zscaler protects against 3 new vulnerabilities for Adobe Flash Player

 

 

Zscaler, working with Microsoft through their MAPP program, has proactively deployed protections for the following 3 vulnerabilities included in the August 2018 Adobe security bulletins. Zscaler will continue to monitor exploits associated with all vulnerabilities in the August release and deploy additional protections as necessary.

APSB18-25 – Security updates available for Flash Player

Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address important vulnerabilities in Adobe Flash Player 30.0.0.134 and earlier versions.  Successful exploitation could lead to arbitrary code execution in the context of the current user.

 Severity: Important

Affected Software

  • Adobe Flash Player Desktop Runtime 30.0.0.134 and earlier versions
  • Adobe Flash Player for Google Chrome 30.0.0.134 and earlier versions
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 30.0.0.134 and earlier versions

CVE-2018-12824 – Adobe Flash Player Out of Bounds Read Vulnerability

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the ID3 string decoding. A malformed “COMM” string input leads to flawed computation that involves pointer offset arithmetic which does not adequately account for the buffer boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2018-12825 – Adobe Flash Player Security Bypass Vulnerability

This vulnerability is an instance of a security bypass vulnerability. Specifically, the vulnerability exists in the mechanism that handles Flash content embedded within an Office document that can allow bypass of click-to play security mechanism.

CVE-2018-12826 – Adobe Flash Player Out of Bounds Read Vulnerability

The vulnerability is caused by the computation that reads data past the end of the intended buffer; the computation is part of the ActionScript 3 VM that handles native code constructor calls. Crafted SWF input triggers the flawed computation where pointer arithmetic is not appropriately checked against boundary conditions, which leads to memory write operation through the pointer that points to an invalid memory location. The vulnerability is a result of out of range pointer offset that is used to access sub-elements of an internal data structure. An attacker can potentially leverage the vulnerability to leak sensitive data (e.g., memory addresses).