Security Experts:

Connect with us

Hi, what are you looking for?



Adobe Patches Two Zero-Day Vulnerabilities in Flash Player

Adobe Releases Security Updates for Flash Player, Acrobat, Reader, Shockwave Player

Adobe Releases Security Updates for Flash Player, Acrobat, Reader, Shockwave Player

Adobe has released security updates for Flash Player, Reader, Acrobat and Shockwave Player. The most important of these updates fixes two Flash Player zero-day vulnerabilities identified by researchers in the Hacking Team leak.

The Flash Player zero-day bugs, CVE-2015-5122 and CVE-2015-5123, were reported to Adobe by Dhanesh Kizhakkinan of FireEye, respectively Peter Pi of Trend Micro and the researcher known as “slipstream/RoL.” These use-after-free (UAF) vulnerabilities affect Flash Player and earlier, and they allow a remote, unauthenticated attacker to execute arbitrary code on affected systems.

Adobe has patched the flaws with the release of Flash Player Google has updated Chrome and Microsoft has updated Internet Explorer to ensure that users are protected against potential attacks exploiting these vulnerabilities.

The exploit for CVE-2015-5122 has been integrated into several exploit kits before Adobe released the patch, including Angler, RIG, Neutrino and Nuclear Pack.

A total of three Flash Player zero-days have been uncovered by experts in the Hacking Team leak. Adobe released a patch for the first zero-day (CVE-2015-5119) shortly after the bug’s existence came to light.

Mozilla announced recently that all versions of the Flash Player plugin have been disabled by default in Firefox until Adobe releases an update to patch the vulnerabilities.

The latest series of security holes has once again prompted experts to warn users about the risks associated with the use of Flash Player. Facebook’s recently appointed CSO, Alex Stamos, said “it is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.”

“Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once,” Stamos wrote on Twitter.

In a blog post coinciding with the release of the security updates, Adobe said the company is actively working on improving Flash Player security.

“Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and as such, is a target of malicious hackers. We are actively working to improve Flash Player security, and as we did in this case, will work to quickly address issues when they are discovered,” Adobe said. “We continue to partner with browser vendors to both improve Flash Player security as well as invest in, contribute to and support more modern technologies such as HTML5 and JavaScript.”

Security updates for Adobe Reader, Acrobat and Shockwave Player

Adobe has also released patches for Reader and Acrobat. The latest versions address a total of 46 vulnerabilities, including denial-of-service (DoS), arbitrary code execution, information disclosure, and restriction bypass flaws.

Independent researchers and experts from HP’s Zero Day Initiative,, MWR Labs, Google Project Zero, the Alibaba Security Research Team, Minded Security, and the Nanyang Technological University have been credited for reporting these vulnerabilities.

As for Shockwave Player, Adobe has addressed two critical memory corruption vulnerabilities (CVE-2015-5120, CVE-2015-5121) identified by researchers at Fortinet. The flaws can be exploited for arbitrary code execution.

Adobe says it’s not aware of exploits targeting any of these vulnerabilities.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.