Multiple Vulnerabilities in Adobe Flash Player Could Allow for Remote Code Execution (APSB16-25)

ITS Advisory Number: 
2016-117
Date(s) Issued: 
Tuesday, July 12, 2016
Subject: 
Multiple Vulnerabilities in Adobe Flash Player Could Allow for Remote Code Execution (APSB16-25)
Overview: 

Multiple vulnerabilities have been discovered in Adobe Flash Player, the most severe of which could allow for remote code execution. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code by luring a victim to visit a specially crafted malicious website. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Adobe Flash Player Desktop Runtime prior to version 22.0.0.209
  • Adobe Flash Player Extended Support Release prior to version 18.0.0.366
  • Adobe Flash Player for Google Chrome prior to version 22.0.0.209
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 prior to version 22.0.0.209
  • Adobe Flash Player for Linux prior to version 11.2.202.632
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Adobe Flash Player is prone to multiple vulnerabilities which could allow an attacker to take control of the affected system.

 

  • These updates resolve a race condition vulnerability that could lead to information disclosure (CVE-2016-4247).

  • These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-4223, CVE-2016-4224, CVE-2016-4225).

  • These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).

  • These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-4249).

  • These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179, CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245, CVE-2016-4246).

  • These updates resolve a memory leak vulnerability (CVE-2016-4232).

  • These updates resolve stack corruption vulnerabilities that could lead to code execution (CVE-2016-4176, CVE-2016-4177).

  • These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2016-4178).

     

    Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code by luring a victim to visit a specially crafted malicious website. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • After appropriate testing, install updates provided by Adobe to the affected systems.
  • Consider disabling Adobe Flash Player until the patch is applied. 
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
References: 

Adobe:
https://helpx.adobe.com/security/products/flash-player/apsb16-25.html

 

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4172

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4173

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4174

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4175

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4176

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4177

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4178

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4179

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4180

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4181

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4182

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4183

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4184

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4185

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4186

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4187

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4188

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4189

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4190

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4217

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4218

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4219

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4220

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4221

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4222

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4223

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4224

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4225

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4226

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4227

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4228

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4229

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4230

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4231

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4232

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4233

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4234

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4235

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4236

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4237

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4238

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4239

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4240

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4241

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4242 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4243

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4244

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4245

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4246

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4247

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4248

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4249