CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
Multiple Vulnerabilities in Adobe Flash Player and Adobe AIR Could Allow Remote Code Execution (APSB14-14)
Multiple vulnerabilities have been discovered in Adobe Flash Player and Adobe AIR. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages. Adobe AIR is a cross platform runtime used for developing Internet applications that run outside of a browser. Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer. Failed exploit attempts will likely cause denial-of-service conditions.
At this time these vulnerabilities are not publicly disclosed and there is reporting that these vulnerabilities are being exploited in the wild.
- Adobe Flash Player 184.108.40.206 and earlier versions for Windows and Macintosh
- Adobe Flash Player 220.127.116.116 and earlier versions for Linux
- Adobe AIR 18.104.22.168 SDK and earlier versions
- Adobe AIR 22.214.171.124 SDK & Compiler and earlier versions
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
Adobe Flash Player and AIR are prone to multiple vulnerabilities that could allow for remote code execution. Details regarding these vulnerabilities are as follows:
- Use-after free vulnerability that could result in arbitrary code execution (CVE-2014-0510)
- Vulnerability that could be used to bypass the same origin policy (CVE-2014-0516)
- Multiple security bypass vulnerabilities (CVE-2014-0517, CVE-2014-0518, CVE-2014-0519, CVE-2014-0520)
Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely cause denial-of-service conditions.
We recommend the following actions be taken:
- Install the updates provided by Adobe immediately after appropriate testing.
- Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
- Do not open email attachments from unknown or untrusted sources.
- Limit user account privileges to those required only.