Multiple Vulnerabilities in Adobe Flash Player and AIR Could Allow for Remote Code Execution (APSB16-08)

ITS Advisory Number:

2016-051

Date(s) Issued:

Friday, March 11, 2016

Subject:

Multiple Vulnerabilities in Adobe Flash Player and AIR Could Allow for Remote Code Execution (APSB16-08)

Overview:

Multiple vulnerabilities have been discovered in Adobe Flash Player and Adobe AIR that could for allow remote code execution. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages. Adobe AIR is a cross platform runtime used for developing Internet applications that run outside of a browser. Successful exploitation of these vulnerabilities may allow for arbitrary code execution in the context of the current user. Failed exploit attempts will likely result in denial-of-service conditions.

Systems Affected:

Adobe Flash Player Desktop Runtime prior to 21.0.0.182 for Windows and Macintosh
Adobe Flash Player Extended Support Release prior to 18.0.0.333 for Windows and Macintosh
Adobe Flash Player for Google Chrome prior to 21.0.0.182 for Windows, Macintosh, Linux and ChromeOS
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 prior to 21.0.0.182 for Windows 10
Adobe Flash Player for Internet Explorer 10 and 11 prior to 21.0.0.182 for Windows 8.0 and 8.1
Adobe Flash Player for Linux prior to 11.2.202.577 for Linux
AIR Desktop Runtime prior to 21.0.0.176 for Windows and Macintosh
AIR SDK prior to 21.0.0.176 for Windows, Macintosh, Android and iOS
AIR SDK & Compiler prior to 21.0.0.176 for Windows, Macintosh, Android and iOS
AIR for Android prior to 21.0.0.176 for Android

RISK

GOVERNMENT

Large and medium government entities:

High

Small government entities:

Medium

BUSINESS

Large and medium business entities:

High

Small business entities:

Medium

Home Users:

High

Description:

Adobe Flash Player and Adobe AIR are prone to multiple vulnerabilities which could allow for remote code execution. These vulnerabilities are as follows:

Integer overflow vulnerabilities that could lead to code execution. (CVE-2016-0963, CVE-2016-0993, CVE-2016-1010)
Use-after-free vulnerabilities that could lead to code execution. (CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, CVE-2016-1000)
Heap overflow vulnerability that could lead to code execution. (CVE-2016-1001)
Memory corruption vulnerabilities that could lead to code execution. (CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, CVE-2016-1005)

Successful exploitation of these vulnerabilities may allow for arbitrary code execution in the context of the current user. Failed exploit attempts will likely result in denial-of-service conditions.

Actions:

After appropriate testing, nstall the updates provided by Adobe to the affected systems.
Remind users not to visit websites or follow links provided by unknown or untrusted sources.
Do not open email attachments from unknown or untrusted sources. Limit user account privileges to those required only.

References:

Adobe:

https://helpx.adobe.com/security/products/flash-player/apsb16-08.html

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0960

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0961

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0962

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0963

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0986

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0987

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0988

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0989