Multiple vulnerabilities in Adobe Flash Player

Published: 2016-02-09 21:03:43 | Updated: 2017-08-08 16:54:06
Severity Critical
Patch available YES
Number of vulnerabilities 22
CVE ID CVE-2016-0964
CVE-2016-0965
CVE-2016-0966
CVE-2016-0967
CVE-2016-0968
CVE-2016-0969
CVE-2016-0970
CVE-2016-0971
CVE-2016-0972
CVE-2016-0973
CVE-2016-0974
CVE-2016-0975
CVE-2016-0976
CVE-2016-0977
CVE-2016-0978
CVE-2016-0979
CVE-2016-0980
CVE-2016-0981
CVE-2016-0982
CVE-2016-0983
CVE-2016-0984
CVE-2016-0985
CVSSv3 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
9.2 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CWE ID CWE-119
CWE-122
CWE-416
CWE-843
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #8 is available.
Public exploit code for vulnerability #11 is available.
Vulnerability #21 is being exploited in the wild.
Public exploit code for vulnerability #22 is available.
Vulnerable software Adobe Flash Player
Adobe AIR
Adobe Flash Player for Linux
Adobe Flash Player Extended Support Release
Vulnerable software versions Adobe Flash Player 20.0.0.267
Adobe Flash Player 20.0.0.272
Adobe Flash Player 20.0.0.306
Show more
Adobe AIR 20.0.0.204
Adobe AIR 20.0.0.233
Adobe AIR 20.0.0.260
Adobe Flash Player for Linux 11.2.202.481
Adobe Flash Player for Linux 11.2.202.468
Adobe Flash Player for Linux 11.2.202.491
Show more
Adobe Flash Player Extended Support Release 18.0.0.268
Adobe Flash Player Extended Support Release 18.0.0.324
Adobe Flash Player Extended Support Release 18.0.0.326
Adobe Flash Player Extended Support Release 18.0.0.329
Vendor URL Adobe

Security Advisory

This bulleting was updated to provide information about zero-day vulnerability, exploited back in June 2015 by the BlackOasis actor.

1) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

2) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

3) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

4) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

5) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

6) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

7) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

8) Heap-based buffer overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a heap-based buffer overflow when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

9) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

10) Use-after-free error

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

11) Use-after-free error

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

12) Use-after-free error

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

13) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

14) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

15) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

16) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

17) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

18) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

19) Use-after-free error

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

20) Use-after-free error

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

21) Use-after-free error

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

According to Kasperksy Lab report, this vulnerability has bein actively exploited in the wild by BlackOasis APT actor.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

22) Type confusion

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.

Remediation

Update Adobe Flash Player to version 20.0.0.306.
Update Adobe Flash Player for Linux to version 11.2.202.569.
Update Adobe AIR to version 20.0.0.260.
Update Adobe Flash Player Extended Support Release to version 18.0.0.329.

External links

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

Back to List