UPDATED: Multiple Vulnerabilities in Adobe Flash Player Could Allow for Remote Code Execution (APSA16-02 and APSA16-15)

ITS Advisory Number: 
2016-090 (UPDATED)
Date(s) Issued: 
Tuesday, May 10, 2016
Date Updated: 
Thursday, May 12, 2016
Subject: 
Multiple Vulnerabilities in Adobe Flash Player Could Allow for Remote Code Execution (APSA16-02 and APSA16-15)
Overview: 

ORIGINAL OVERVIEW:

A vulnerability has been discovered in Adobe Flash Player which could allow for remote code execution. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages.

Successful exploitation of this vulnerability may allow for remote code execution and allow an attacker to take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights with failed exploit attempts will likely result in denial-of-service conditions.

May 12 - UPDATED OVERVIEW:

Multiple vulnerabilities have been discovered in Adobe Flash Player that could allow for remote code execution.

Systems Affected: 

ORIGINAL SYSTEM AFFECTED:

  • Adobe Flash Player 21.0.0.226 and earlier for Windows, Macintosh, Linux, and Chrome OS

May 12 - UPDATED SYSTEMS AFFECTED:

  • Adobe Flash Player Desktop Runtime prior to 21.0.0.242 for Windows and Macintosh
  • Adobe Flash Player Extended Support Release prior to 18.0.0.352 for Windows and Macintosh
  • Adobe Flash Player for Google Chrome prior to 21.0.0.242 for Windows, Macintosh, Linux and ChromeOS
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 prior to 21.0.0.242 for Windows 8.1 and 10
  • Adobe Flash Player for Linux prior to 11.2.202.621 for Linux
  • AIR Desktop Runtime prior to 21.0.0.215 for Windows and Macintosh
  • AIR SDK prior to 21.0.0.215 for Windows, Macintosh, Android and iOS
  • AIR SDK & Compiler prior to 21.0.0.215 for Windows, Macintosh, Android and iOS

 

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

ORIGINAL DESCRIPTION:

An unspecified security vulnerability has been discovered in Adobe Flash Player which could allow for remote code execution.

Successful exploitation of this vulnerability may allow for remote code execution and allow an attacker to take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights. Failed exploit attempts will likely result in denial-of-service conditions.

May 12 - UPDATED DESCRIPTION:

Adobe Flash Player is prone to multiple vulnerabilities that could allow for remote code execution. These vulnerabilities are as follows:

  • Multiple type confusion vulnerabilities could lead to remote code execution. (CVE-2016-1105, CVE-2016-4117)
  • Multiple use-after-free vulnerabilities could lead to remote code execution. (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110).
  • A heap buffer overflow vulnerability that could lead to remote code execution. (CVE-2016-1101).
  • A buffer overflow vulnerability that could lead to remote code execution. (CVE-2016-1103).
  • Multiple memory corruption vulnerabilities that could lead to remote code execution. (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115).
  • A directory search path vulnerability that could lead to remote code execution. (CVE-2016-4116).

Successful exploitation of these vulnerabilities may allow for remote code execution and allow an attacker to take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights with failed exploit attempts will likely result in denial-of-service conditions.

Actions: 

ORIGINAL ACTIONS:

  • Disable Flash functionality until a patch is released by Adobe.
  • Limit user account privileges to least privilege only.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Do not open email attachments from unknown or untrusted sources.

May 12 - UPDATED ACTION:

  • Install the updates provided by Adobe immediately after appropriate testing.
References: 

ORIGINAL REFERENCES:

Adobe:
https://helpx.adobe.com/security/products/flash-player/apsa16-02.html

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4117

May 12 – UPDATED REFERENCES:

Adobe:

https://helpx.adobe.com/security/products/flash-player/apsb16-15.html

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1096

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1097

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1098

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1099

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1100

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1101

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1102

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1103

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1104

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1105

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1106

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1107

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1108

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1109

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1110

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4108

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4109

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4110

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4111

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4112

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4113

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4114

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4115

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4116