OpenSUSE Linux update for flash-player



Published: 2016-05-17
Risk Critical
Patch available YES
Number of vulnerabilities 25
CVE-ID CVE-2016-1006
CVE-2016-1011
CVE-2016-1012
CVE-2016-1013
CVE-2016-1014
CVE-2016-1015
CVE-2016-1016
CVE-2016-1017
CVE-2016-1018
CVE-2016-1019
CVE-2016-1020
CVE-2016-1021
CVE-2016-1022
CVE-2016-1023
CVE-2016-1024
CVE-2016-1025
CVE-2016-1026
CVE-2016-1027
CVE-2016-1028
CVE-2016-1029
CVE-2016-1030
CVE-2016-1031
CVE-2016-1032
CVE-2016-1033
CVE-2016-4117
CWE-ID CWE-264
CWE-119
CWE-426
CWE-843
Exploitation vector Network
Public exploit Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #4 is available.
Vulnerability #10 is being exploited in the wild.
Vulnerability #25 is being exploited in the wild.
Vulnerable software
Subscribe
Adobe Flash Player
Client/Desktop applications / Plugins for browsers, ActiveX components

Adobe Flash Player Extended Support Release
Client/Desktop applications / Multimedia software

Adobe AIR
Client/Desktop applications / Multimedia software

Adobe Flash Player for Linux
Client/Desktop applications / Multimedia software

Vendor Adobe

Security Bulletin

This security bulletin contains information about 25 vulnerabilities.

1) Security bypass

EUVDB-ID: #VU5767

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1006

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to failure to use Address Space Layout Randomization (ASLR). A remote attacker can create a specially crafted Web site, trick the victim into visiting it, conduct a JIT spraying attack and bypass memory layout randomization mitigations.

Successful exploitation of this vulnerability results in security bypass on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) “Use-after-free” error

EUVDB-ID: #VU5748

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-1011

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Memory corruption

EUVDB-ID: #VU5753

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1012

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) “Use-after-free” error

EUVDB-ID: #VU5749

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-1013

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Untrusted Search Path

EUVDB-ID: #VU5746

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1014

CWE-ID: CWE-426 - Untrusted Search Path

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error in the directory search path used to find resources when handling .swf files. A remote attacker can create a specially crafted .swf file, place it with malicious .dll on remote SMB or WebDav share, trick the victim into opening Flash file it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Type confusion

EUVDB-ID: #VU5745

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1015

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confussion error within the NetConnection objects. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) “Use-after-free” error

EUVDB-ID: #VU5751

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1016

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) “Use-after-free” error

EUVDB-ID: #VU5750

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1017

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Stack-based buffer overflow

EUVDB-ID: #VU5747

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1018

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow when handling JPEG-XR files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Type confusion

EUVDB-ID: #VU4647

Risk: Critical

CVSSv3.1: 9.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2016-1019

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error when handling .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Note: the vulnerability was being actively exploited.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

11) Memory corruption

EUVDB-ID: #VU5754

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1020

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Memory corruption

EUVDB-ID: #VU5755

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1021

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Memory corruption

EUVDB-ID: #VU5756

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1022

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Memory corruption

EUVDB-ID: #VU5757

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1023

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Memory corruption

EUVDB-ID: #VU5758

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1024

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Memory corruption

EUVDB-ID: #VU5759

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1025

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Memory corruption

EUVDB-ID: #VU5760

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1026

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Memory corruption

EUVDB-ID: #VU5761

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1027

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Memory corruption

EUVDB-ID: #VU5762

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1028

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Memory corruption

EUVDB-ID: #VU5763

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1029

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Security bypass

EUVDB-ID: #VU5766

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1030

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper access controls. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, bypass security mechanism and gain access to the affected system.

Successful exploitation of this vulnerability results in security bypass on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) “Use-after-free” error

EUVDB-ID: #VU5752

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1031

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Memory corruption

EUVDB-ID: #VU5764

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1032

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Memory corruption

EUVDB-ID: #VU5765

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1033

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.343

Adobe AIR: 21.0.0.176 - 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.616

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Type confusion

EUVDB-ID: #VU5129

Risk: Critical

CVSSv3.1: 9.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2016-4117

CWE-ID: CWE-843 - Type confusion

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Note: the vulnerability was being actively exploited.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228 - 21.0.0.242

Adobe AIR: 21.0.0.176 - 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.352

External links

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###