某些 Creative Cloud 应用程序、服务和功能在中国不可用。
Release date: August 11, 2015
Last update: September 2, 2015
Vulnerability identifier: APSB15-19
Priority: See table below
CVE number: CVE-2015-5125, CVE-2015-5127, CVE-2015-5129, CVE-2015-5130, CVE-2015-5131, CVE-2015-5132, CVE-2015-5133, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5541, CVE-2015-5544, CVE-2015-5545, CVE-2015-5546, CVE-2015-5547, CVE-2015-5548, CVE-2015-5549, CVE-2015-5550, CVE-2015-5551, CVE-2015-5552, CVE-2015-5553, CVE-2015-5554, CVE-2015-5555, CVE-2015-5556, CVE-2015-5557, CVE-2015-5558, CVE-2015-5559, CVE-2015-5560, CVE-2015-5561, CVE-2015-5562, CVE-2015-5563, CVE-2015-5564, CVE-2015-5565, CVE-2015-5566, CVE-2015-6682
Platform: All Platforms
Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
| Product | Affected Versions | Platform |
|---|---|---|
| Adobe Flash Player Desktop Runtime | 18.0.0.209 and earlier |
Windows and Macintosh |
| Adobe Flash Player Extended Support Release | 13.0.0.309 and earlier | Windows and Macintosh |
| Adobe Flash Player for Google Chrome | 18.0.0.209 and earlier | Windows, Macintosh and Linux |
| Adobe Flash Player for Microsoft Edge and Internet Explorer 11 | 18.0.0.209 and earlier | Windows 10 |
| Adobe Flash Player for Internet Explorer 10 and 11 | 18.0.0.209 and earlier | Windows 8.0 and 8.1 |
| Adobe Flash Player for Linux | 11.2.202.491 and earlier | Linux |
| AIR Desktop Runtime | 18.0.0.180 and earlier | Windows and Macintosh |
| AIR SDK | 18.0.0.180 and earlier | Windows, Macintosh, Android and iOS |
| AIR SDK & Compiler | 18.0.0.180 and earlier | Windows, Macintosh, Android and iOS |
- To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
- To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote.
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
| Product | Updated Versions | Platform | Availability | |
|---|---|---|---|---|
| Adobe Flash Player Desktop Runtime |
18.0.0.232 | Windows and Macintosh |
1 | Flash Player Download Center Flash Player Distribution |
| Adobe Flash Player Extended Support Release [2] | 18.0.0.232 | Windows and Macintosh |
1 | Extended Support |
| Adobe Flash Player for Google Chrome | 18.0.0.232 | Windows and Macintosh | 1 | Google Chrome Releases |
| Adobe Flash Player for Google Chrome | 18.0.0.233 | Linux and Chrome OS | 3 | Google Chrome Releases |
| Adobe Flash Player for Microsoft Edge and Internet Explorer 11 | 18.0.0.232 | Windows 10 | 1 | Microsoft Security Advisory |
| Adobe Flash Player for Internet Explorer 10 and 11 | 18.0.0.232 | Windows 8.0 and 8.1 |
1 | Microsoft Security Advisory |
| Adobe Flash Player for Linux | 11.2.202.508 | Linux | 3 | Flash Player Download Center |
| AIR Desktop Runtime | 18.0.0.199 | Windows and Macintosh | 3 | AIR Download Center |
| AIR SDK | 18.0.0.199 | Windows, Macintosh, Android and iOS | 3 | AIR SDK Download |
| AIR SDK & Compiler | 18.0.0.199 | Windows, Macintosh, Android and iOS | 3 | AIR SDK Download |
- Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player 18.0.0.232 by visiting the Adobe Flash Player Download Center or via the update mechanism within the product when prompted [1].
- Adobe recommends users of the Adobe Flash Player Extended Support Release [2] update to version 18.0.0.232 by visiting http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.
- Adobe recommends users of the Adobe Flash Player for Linux update to Adobe Flash Player 11.2.202.508 by visiting the Adobe Flash Player Download Center.
- Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 18.0.0.232 on Windows and Macintosh, and version 18.0.0.233 for Linux and Chrome OS.
- Adobe Flash Player installed with Microsoft Edge for Windows 10 will be automatically updated to the latest version, which will include Adobe Flash Player 18.0.0.232.
- Adobe Flash Player installed with Internet Explorer 10 and 11 for Windows 8.0 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 18.0.0.232.
- Adobe recommends users of the AIR desktop runtime, AIR SDK and AIR SDK & Compiler update to version 18.0.0.199 by visiting the AIR download center or the AIR developer center.
- Please visit the Flash Player Help page for assistance in installing Flash Player.
- These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2015-5554, CVE-2015-5555, CVE-2015-5558, CVE-2015-5562).
- These updates include further hardening to a mitigation introduced in version 18.0.0.209 to defend against vector length corruptions (CVE-2015-5125).
- These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-5550, CVE-2015-5551, CVE-2015-5556, CVE-2015-5130, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5557, CVE-2015-5559, CVE-2015-5127, CVE-2015-5563, CVE-2015-5561, CVE-2015-5564, CVE-2015-5565, CVE-2015-5566, CVE-2015-6682).
- These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-5129, CVE-2015-5541).
- These updates resolve buffer overflow vulnerabilities that could lead to code execution (CVE-2015-5131, CVE-2015-5132, CVE-2015-5133).
- These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-5544, CVE-2015-5545, CVE-2015-5546, CVE-2015-5547, CVE-2015-5548, CVE-2015-5549, CVE-2015-5552, CVE-2015-5553).
- These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2015-5560).
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:
- Kai Lu of Fortinet's FortiGuard Labs (CVE-2015-5129)
- Chris Evans, Ben Hawkes and Mateusz Jurczyk of Google Project Zero (CVE-2015-5131, CVE-2015-5132, CVE-2015-5133, CVE-2015-5544, CVE-2015-5545, CVE-2015-5546, CVE-2015-5547, CVE-2015-5548)
- Wang Wei of the Alibaba Security Research Team (CVE-2015-5566)
- Natalie Silvanovich of Google Project Zero (CVE-2015-5550, CVE-2015-5551, CVE-2015-5554, CVE-2015-5555, CVE-2015-5556, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5557, CVE-2015-5558, CVE-2015-5562, CVE-2015-5560, CVE-2015-5564, CVE-2015-5565)
- Chris Evans of Google Project Zero (CVE-2015-5549, CVE-2015-5125)
- bilou, working with the Chromium Vulnerability Rewards Program (CVE-2015-5563, CVE-2015-5561, CVE-2015-5130, CVE-2015-5127)
- Yuki Chen of Qihoo 360 Vulcan Team (CVE-2015-5552, CVE-2015-5553, CVE-2015-5559)
- instruder of the Alibaba Security Research Team (CVE-2015-5541)
- Peter Pi of TrendMicro (CVE-2015-6682)
August 11, 2015: Updated the table of affected versions to include Adobe Flash Player for Microsoft Edge and Internet Explorer 11 on Windows 10. Also, added a reference to CVE-2015-5564, which was unintentionally omitted from the bulletin.
August 12, 2015: Added a reference to CVE-2015-5565, a use-after-free issue similar to CVE-2015-3107. A fix for CVE-2015-3107 was introduced in APSB15-11, and has been strengthened in APSB15-19. Also, removed CVE-2015-5128, which was previously assessed to be a Type Confusion issue and has been re-classified as a non-exploitable crash due to a null pointer exception.
August 20, 2015: Replaced CVE-2015-5124 with CVE-2015-5566. CVE-2015-5124 was addressed in APSB15-16, and mistakenly re-used in APSB15-19.
September 2, 2015: Added a reference to CVE-2015-6682, a use-after-free vulnerability resolved in this release but unintentionally omitted from the bulletin.