Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Security Advisories

Security Advisory - August 14, 2018

Zscaler protects against 3 new vulnerabilities for Adobe Flash Player

Zscaler, working with Microsoft through their MAPP program, has proactively deployed protections for the following 3 vulnerabilities included in the August 2018 Adobe security bulletins. Zscaler will continue to monitor exploits associated with all vulnerabilities in the August release and deploy additional protections as necessary.

APSB18-25 – Security updates available for Flash Player

Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address important vulnerabilities in Adobe Flash Player and earlier versions.  Successful exploitation could lead to arbitrary code execution in the context of the current user.

 Severity: Important

Affected Software

  • Adobe Flash Player Desktop Runtime and earlier versions
  • Adobe Flash Player for Google Chrome and earlier versions
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 and earlier versions

CVE-2018-12824 – Adobe Flash Player Out of Bounds Read Vulnerability

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the ID3 string decoding. A malformed “COMM” string input leads to flawed computation that involves pointer offset arithmetic which does not adequately account for the buffer boundaries. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2018-12825 – Adobe Flash Player Security Bypass Vulnerability

This vulnerability is an instance of a security bypass vulnerability. Specifically, the vulnerability exists in the mechanism that handles Flash content embedded within an Office document that can allow bypass of click-to play security mechanism.

CVE-2018-12826 – Adobe Flash Player Out of Bounds Read Vulnerability

The vulnerability is caused by the computation that reads data past the end of the intended buffer; the computation is part of the ActionScript 3 VM that handles native code constructor calls. Crafted SWF input triggers the flawed computation where pointer arithmetic is not appropriately checked against boundary conditions, which leads to memory write operation through the pointer that points to an invalid memory location. The vulnerability is a result of out of range pointer offset that is used to access sub-elements of an internal data structure. An attacker can potentially leverage the vulnerability to leak sensitive data (e.g., memory addresses).