Multiple vulnerabilities in Adobe Flash Player



Published: 2016-12-13
Risk Critical
Patch available YES
Number of vulnerabilities 17
CVE-ID CVE-2016-7890
CVE-2016-7876
CVE-2016-7875
CVE-2016-7874
CVE-2016-7873
CVE-2016-7871
CVE-2016-7870
CVE-2016-7869
CVE-2016-7868
CVE-2016-7867
CVE-2016-7892
CVE-2016-7881
CVE-2016-7880
CVE-2016-7879
CVE-2016-7878
CVE-2016-7877
CVE-2016-7872
CWE-ID CWE-20
CWE-119
CWE-416
Exploitation vector Network
Public exploit Vulnerability #11 is being exploited in the wild.
Vulnerable software
Subscribe
Adobe Flash Player
Client/Desktop applications / Plugins for browsers, ActiveX components

Adobe Flash Player for Linux
Client/Desktop applications / Multimedia software

Vendor Adobe

Security Bulletin

This security bulletin contains information about 17 vulnerabilities.

This security bulletin describes 17 vulnerabilities in Adobe Flash, including 1 zero-day vulnerability.

1) Security restrictions bypass

EUVDB-ID: #VU1297

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7890

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to unknown error processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it and bypass implemented security mechanisms.

Successful exploitation of the vulnerability results in unauthorized access to restricted information.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory corruption

EUVDB-ID: #VU1296

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7876

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory corruption

EUVDB-ID: #VU1295

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7875

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Memory corruption

EUVDB-ID: #VU1294

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7874

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Memory corruption

EUVDB-ID: #VU1293

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7873

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Memory corruption

EUVDB-ID: #VU1292

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7871

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Buffer overflow

EUVDB-ID: #VU1291

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7870

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Buffer overflow

EUVDB-ID: #VU1290

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7869

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Buffer overflow

EUVDB-ID: #VU1289

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7868

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Buffer overflow

EUVDB-ID: #VU1288

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7867

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Use-after-free error

EUVDB-ID: #VU1287

Risk: Critical

CVSSv3.1: 9.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2016-7892

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Note: this vulnerability is being actively exploited in the wild.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

12) Use-after-free error

EUVDB-ID: #VU1286

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7881

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Use-after-free error

EUVDB-ID: #VU1285

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7880

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Use-after-free error

EUVDB-ID: #VU1284

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7879

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Use-after-free error

EUVDB-ID: #VU1283

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7878

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Use-after-free error

EUVDB-ID: #VU1282

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7877

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Use-after-free error

EUVDB-ID: #VU1281

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7872

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197 - 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621 - 11.2.202.644

External links

http://helpx.adobe.com/security/products/flash-player/apsb16-39.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###