Flash 0-Day: Deciphering CVEs and Understanding Patches

Published: 2015-01-23
Last Updated: 2015-01-25 02:30:43 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

(updated with Jan 24th update)

The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one "out of band"), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen.

CVE Fixed in Flash Version  Currently Used in Attacks Advisory
CVE-2014-8440 (Nov. 2014) yes APSB14-24
several (mid Jan 2015) yes. APSB15-01
CVE-2015-0310 (late Jan 2015) yes APSB15-02
CVE-2015-0311 (Jan 24th 2015) yes APSA15-01

So in short: There is still one unpatched Flash vulnerability. System running Windows 8 or below with Firefox or Internet Explorer are vulnerable. You are not vulnerable if you are running Windows 8.1 and the vulnerability is not exposed via Chrome. EMET appears to help, so may other tools like Malwarebytes Anti-Exploit.

Johannes B. Ullrich, Ph.D.

Keywords: flash
9 comment(s)
Diary Archives