CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2014-045

DATE(S) ISSUED:
05/13/2014

SUBJECT:
Multiple Vulnerabilities in Adobe Flash Player and Adobe AIR Could Allow Remote Code Execution (APSB14-14)

OVERVIEW:

Multiple vulnerabilities have been discovered in Adobe Flash Player and Adobe AIR. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages. Adobe AIR is a cross platform runtime used for developing Internet applications that run outside of a browser. Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer. Failed exploit attempts will likely cause denial-of-service conditions.

THREAT INTELLIGENCE:
At this time these vulnerabilities are not publicly disclosed and there is reporting that these vulnerabilities are being exploited in the wild.

SYSTEMS AFFECTED:

  • Adobe Flash Player 13.0.0.206 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.356 and earlier versions for Linux
  • Adobe AIR 13.0.0.83 SDK and earlier versions
  • Adobe AIR 13.0.0.83 SDK & Compiler and earlier versions

 

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

TECHNICAL SUMMARY:
Adobe Flash Player and AIR are prone to multiple vulnerabilities that could allow for remote code execution. Details regarding these vulnerabilities are as follows:

  • Use-after free vulnerability that could result in arbitrary code execution (CVE-2014-0510)
  • Vulnerability that could be used to bypass the same origin policy (CVE-2014-0516)
  • Multiple security bypass vulnerabilities (CVE-2014-0517, CVE-2014-0518, CVE-2014-0519, CVE-2014-0520)

 

Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely cause denial-of-service conditions.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Install the updates provided by Adobe immediately after appropriate testing.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Do not open email attachments from unknown or untrusted sources.
  • Limit user account privileges to those required only.

 

REFERENCES:
Adobe:

http://helpx.adobe.com/security/products/flash-player/apsb14-14.html

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0510
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0516
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0517
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0518
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0519
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0520