Security Update for Adobe Flash Player

Published: 2016-07-12 | Updated: 2018-11-25
Severity High
Patch available YES
Number of vulnerabilities 24
CVE ID CVE-2016-4173
CVE-2016-4174
CVE-2016-4175
CVE-2016-4176
CVE-2016-4177
CVE-2016-4178
CVE-2016-4179
CVE-2016-4182
CVE-2016-4188
CVE-2016-4185
CVE-2016-4222
CVE-2016-4223
CVE-2016-4224
CVE-2016-4225
CVE-2016-4226
CVE-2016-4227
CVE-2016-4228
CVE-2016-4229
CVE-2016-4230
CVE-2016-4231
CVE-2016-4232
CVE-2016-4247
CVE-2016-4248
CVE-2016-4249
CWE ID CWE-119
CWE-200
CWE-843
CWE-401
CWE-362
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #5 is available.
Public exploit code for vulnerability #7 is available.
Public exploit code for vulnerability #15 is available.
Public exploit code for vulnerability #16 is available.
Public exploit code for vulnerability #17 is available.
Public exploit code for vulnerability #18 is available.
Public exploit code for vulnerability #19 is available.
Public exploit code for vulnerability #20 is available.
Public exploit code for vulnerability #21 is available.
Vulnerable software Adobe Flash Player Extended Support Release Subscribe
Adobe Flash Player for Linux
Adobe Flash Player
Vendor Adobe

Security Advisory

1) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4173

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4174

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory corruption

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4175

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Stack-based buffer overflow

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4176

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to stack-based buffer overflow. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Stack-based buffer overflow

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4177

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to stack-based buffer overflow. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

6) Security bypass

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4178

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper access control. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, bypass security mechanisms and gain access to important data.

Successful exploitation of this vulnerability results in information disclosure on the vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Memory corruption

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4179

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

8) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4182

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4188

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4185

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4222

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Type confusion

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4223

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to type confusion error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Type confusion

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4224

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to type confusion error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Type confusion

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4225

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to type confusion error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Use-after-free error

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4226

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

16) Use-after-free error

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4227

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

17) Use-after-free error

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4228

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

18) Use-after-free error

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4229

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

19) Use-after-free error

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4230

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

20) Use-after-free error

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4231

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

21) Information disclosure

Severity: Low

CVSSv3: 3.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-4232

CWE-ID: CWE-401 - Improper Release of Memory Before Removing Last Reference ('Memory Leak')

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to memory leak. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it and gain access to important data.

Successful exploitation of this vulnerability results in information disclosure on the vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

22) Race condition

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4247

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to race condition. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it and gain access to important data.

Successful exploitation of this vulnerability results in information disclosure on the vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4248

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Heap-based buffer overflow

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4249

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to heap-based buffer overflow. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

MS16-093

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.