Multiple vulnerabilities in Adobe Flash Player

Published: 2016-12-13
Severity Critical
Patch available YES
Number of vulnerabilities 17
CVE ID CVE-2016-7890
CVE-2016-7876
CVE-2016-7875
CVE-2016-7874
CVE-2016-7873
CVE-2016-7871
CVE-2016-7870
CVE-2016-7869
CVE-2016-7868
CVE-2016-7867
CVE-2016-7892
CVE-2016-7881
CVE-2016-7880
CVE-2016-7879
CVE-2016-7878
CVE-2016-7877
CVE-2016-7872
CWE ID CWE-20
CWE-119
CWE-416
Exploitation vector Network
Public exploit Vulnerability #11 is being exploited in the wild.
Vulnerable software Adobe Flash Player Subscribe
Adobe Flash Player for Linux
Vendor Adobe

Security Advisory

This security bulletin describes 17 vulnerabilities in Adobe Flash, including 1 zero-day vulnerability.

1) Security restrictions bypass

Severity: Medium

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7890

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to unknown error processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it and bypass implemented security mechanisms.

Successful exploitation of the vulnerability results in unauthorized access to restricted information.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7876

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7875

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7874

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7873

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7871

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Buffer overflow

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7870

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Buffer overflow

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7869

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Buffer overflow

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7868

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Buffer overflow

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7867

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Use-after-free error

Severity: Critical

CVSSv3: 9.2 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7892

CWE-ID: CWE-416 - Use After Free

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Note: this vulnerability is being actively exploited in the wild.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

12) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7881

CWE-ID: CWE-416 - Use After Free

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7880

CWE-ID: CWE-416 - Use After Free

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7879

CWE-ID: CWE-416 - Use After Free

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7878

CWE-ID: CWE-416 - Use After Free

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7877

CWE-ID: CWE-416 - Use After Free

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-7872

CWE-ID: CWE-416 - Use After Free

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Mitigation

Install the latest version 24.0.0.186 from vendor's website for Windows, Macintosh and Linux.

Vulnerable software versions

Adobe Flash Player: 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.192, 22.0.0.211, 22.0.0.211, 23.0.0.162, 23.0.0.185, 23.0.0.205, 23.0.0.207

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626, 11.2.202.632, 11.2.202.635, 11.2.202.637, 11.2.202.643, 11.2.202.644

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.