Multiple Vulnerabilities in Adobe Flash Player and AIR Could Allow for Remote Code Execution (APSB16-08)

ITS Advisory Number: 
2016-051
Date(s) Issued: 
Friday, March 11, 2016
Subject: 
Multiple Vulnerabilities in Adobe Flash Player and AIR Could Allow for Remote Code Execution (APSB16-08)
Overview: 

Multiple vulnerabilities have been discovered in Adobe Flash Player and Adobe AIR that could for allow remote code execution. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages. Adobe AIR is a cross platform runtime used for developing Internet applications that run outside of a browser. Successful exploitation of these vulnerabilities may allow for arbitrary code execution in the context of the current user. Failed exploit attempts will likely result in denial-of-service conditions.

Systems Affected: 
  • Adobe Flash Player Desktop Runtime prior to 21.0.0.182 for Windows and Macintosh

  • Adobe Flash Player Extended Support Release prior to 18.0.0.333 for Windows and Macintosh

  • Adobe Flash Player for Google Chrome prior to 21.0.0.182 for Windows, Macintosh, Linux and ChromeOS

  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 prior to 21.0.0.182 for Windows 10

  • Adobe Flash Player for Internet Explorer 10 and 11 prior to 21.0.0.182 for Windows 8.0 and 8.1

  • Adobe Flash Player for Linux prior to 11.2.202.577 for Linux

  • AIR Desktop Runtime prior to 21.0.0.176 for Windows and Macintosh

  • AIR SDK prior to 21.0.0.176 for Windows, Macintosh, Android and iOS

  • AIR SDK & Compiler prior to 21.0.0.176 for Windows, Macintosh, Android and iOS

  • AIR for Android prior to 21.0.0.176 for Android

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
High
Description: 

Adobe Flash Player and Adobe AIR are prone to multiple vulnerabilities which could allow for remote code execution. These vulnerabilities are as follows:

  • Integer overflow vulnerabilities that could lead to code execution. (CVE-2016-0963, CVE-2016-0993, CVE-2016-1010)
  • Use-after-free vulnerabilities that could lead to code execution. (CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, CVE-2016-1000)
  • Heap overflow vulnerability that could lead to code execution. (CVE-2016-1001)
  • Memory corruption vulnerabilities that could lead to code execution. (CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, CVE-2016-1005)

Successful exploitation of these vulnerabilities may allow for arbitrary code execution in the context of the current user. Failed exploit attempts will likely result in denial-of-service conditions.

Actions: 
  • After appropriate testing, nstall the updates provided by Adobe to the affected systems.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Do not open email attachments from unknown or untrusted sources. Limit user account privileges to those required only.