Multiple vulnerabilities in Adobe Flash Player



Published: 2016-05-12 | Updated: 2017-02-13
Risk High
Patch available YES
Number of vulnerabilities 30
CVE-ID CVE-2016-4163
CVE-2016-4162
CVE-2016-4161
CVE-2016-4160
CVE-2016-4120
CVE-2016-4115
CVE-2016-4114
CVE-2016-4113
CVE-2016-4112
CVE-2016-4111
CVE-2016-4109
CVE-2016-1104
CVE-2016-1102
CVE-2016-1100
CVE-2016-1099
CVE-2016-1098
CVE-2016-1096
CVE-2016-4116
CVE-2016-1103
CVE-2016-1101
CVE-2016-4121
CVE-2016-4110
CVE-2016-4108
CVE-2016-1110
CVE-2016-1109
CVE-2016-1108
CVE-2016-1107
CVE-2016-1106
CVE-2016-1097
CVE-2016-1105
CWE-ID CWE-119
CWE-426
CWE-843
Exploitation vector Network
Public exploit Public exploit code for vulnerability #12 is available.
Public exploit code for vulnerability #13 is available.
Public exploit code for vulnerability #17 is available.
Public exploit code for vulnerability #19 is available.
Public exploit code for vulnerability #20 is available.
Public exploit code for vulnerability #23 is available.
Public exploit code for vulnerability #28 is available.
Public exploit code for vulnerability #30 is available.
Vulnerable software
Subscribe
Adobe Flash Player
Client/Desktop applications / Plugins for browsers, ActiveX components

Adobe AIR
Client/Desktop applications / Multimedia software

Adobe Flash Player for Linux
Client/Desktop applications / Multimedia software

Adobe Flash Player Extended Support Release
Client/Desktop applications / Multimedia software

Vendor Adobe

Security Bulletin

This security bulletin contains information about 30 vulnerabilities.

1) Memory corruption

EUVDB-ID: #VU5798

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4163

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory corruption

EUVDB-ID: #VU5797

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4162

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory corruption

EUVDB-ID: #VU5796

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4161

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Memory corruption

EUVDB-ID: #VU5795

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4160

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Memory corruption

EUVDB-ID: #VU5794

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4120

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Memory corruption

EUVDB-ID: #VU5793

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4115

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Memory corruption

EUVDB-ID: #VU5792

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4114

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Memory corruption

EUVDB-ID: #VU5791

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4113

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Memory corruption

EUVDB-ID: #VU5790

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4112

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Memory corruption

EUVDB-ID: #VU5789

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4111

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Memory corruption

EUVDB-ID: #VU5788

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4109

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Memory corruption

EUVDB-ID: #VU5787

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-1104

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

13) Memory corruption

EUVDB-ID: #VU5786

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-1102

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

14) Memory corruption

EUVDB-ID: #VU5785

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1100

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Memory corruption

EUVDB-ID: #VU5784

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1099

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Memory corruption

EUVDB-ID: #VU5783

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1098

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Memory corruption

EUVDB-ID: #VU5782

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-1096

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

18) Untrusted search path

EUVDB-ID: #VU5781

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4116

CWE-ID: CWE-426 - Untrusted Search Path

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error in the directory search path used to find resources. A remote attacker can create a specially crafted .swf file, locate it on WebDav or SMB share, trick the victim into opening it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Buffer overflow

EUVDB-ID: #VU5779

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-1103

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

20) Heap-based buffer overflow

EUVDB-ID: #VU5778

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-1101

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

21) “Use-after-free” error

EUVDB-ID: #VU5777

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4121

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Use-after-free error

EUVDB-ID: #VU5776

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4110

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Use-after-free error

EUVDB-ID: #VU5775

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-4108

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

24) Use-after-free error

EUVDB-ID: #VU5774

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1110

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Use-after-free error

EUVDB-ID: #VU5773

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1109

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Use-after-free error

EUVDB-ID: #VU5772

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1108

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Use-after-free error

EUVDB-ID: #VU5771

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1107

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) “Use-after-free” error

EUVDB-ID: #VU5770

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-1106

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

29) “Use-after-free” error

EUVDB-ID: #VU5769

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1097

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Type confusion

EUVDB-ID: #VU5768

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-1105

CWE-ID: CWE-843 - Type confusion

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-15.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###