[Japanese]

JVNDB-2015-005234

Adobe Flash Player issue where iframe contents may be overwritten

Overview

Adobe Flash Player contains an issue where the same-origin policy may be bypassed leading to iframe contents being overwritten.

Tokuji Akamine reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Google
  • Google Chrome
Adobe Systems, Inc.
  • Adobe AIR Desktop Runtime before 19.0.0.213 (Windows/Macintosh)
  • Adobe AIR SDK before 19.0.0.213 (Windows/Macintosh/Android/iOS)
  • Adobe AIR SDK & Compiler before 19.0.0.213 (Windows/Macintosh/Android/iOS)
  • Adobe Flash Player Desktop Runtime before 19.0.0.207 (Windows/Macintosh)
  • Adobe Flash Player Extended Support Release before 18.0.0.252 (Windows/Macintosh)
  • Adobe Flash Player before 11.2.202.535 (Linux)
  • Adobe Flash Player before 19.0.0.207 (Chrome on Windows/Macintosh/Linux/ChromeOS)
  • Adobe Flash Player before 19.0.0.207 (Internet Explorer 10/11 on Windows 8.0 and 8.1)
  • Adobe Flash Player before 19.0.0.207 (Microsoft Edge/Internet Explorer 11 on Windows 10)
Microsoft Corporation
  • Microsoft Edge (Windows 10)
  • Microsoft Internet Explorer 10 (Windows 8/Windows Server 2012/Windows RT)
  • Microsoft Internet Explorer 11 (Windows 8.1/Windows Server 2012 R2/Windows RT 8.1)

Impact

Processing specially crafted Flash content may lead to iframe contents being overwritten.
Solution

[Apply an Update]
Update to the latest version according to the information provided by the developer.

This issue was addressed in the update released on October 13, 2015.
Vendor Information

Google Adobe Systems, Inc. Microsoft Corporation FUJITSU
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-7628
References

  1. JVN : JVN#22533124
  2. National Vulnerability Database (NVD) : CVE-2015-7628
  3. IPA SECURITY ALERTS : Security Alert for Vulnerability in Adobe Flash Player (APSB15-25)(CVE-2015-7628 and others) (in Japanese)
  4. JPCERT REPORT : JPCERT-AT-2015-0036
  5. @Police : For Adobe Flash Player security fix (2015/10/14) (in Japanese)
Revision History

  • [2015/12/17]
      Web page was published

Date Public2015/10/13
Date First Published2015/12/17
Date Last Updated2015/12/17