MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-049

DATE(S) ISSUED:
03/10/2016

SUBJECT:
Multiple Vulnerabilities in Adobe Flash Player and AIR Could Allow for Remote Code Execution (APSB16-08)

OVERVIEW:

Multiple vulnerabilities have been discovered in Adobe Flash Player and Adobe AIR that could for allow remote code execution. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages. Adobe AIR is a cross platform runtime used for developing Internet applications that run outside of a browser. Successful exploitation of these vulnerabilities may allow for arbitrary code execution in the context of the current user. Failed exploit attempts will likely result in denial-of-service conditions.

THREAT INTELLIGENCE:

Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks.

SYSTEMS AFFECTED:

  • Adobe Flash Player Desktop Runtime prior to 21.0.0.182 for Windows and Macintosh
  • Adobe Flash Player Extended Support Release prior to 18.0.0.333 for Windows and Macintosh
  • Adobe Flash Player for Google Chrome prior to 21.0.0.182 for Windows, Macintosh, Linux and ChromeOS
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 prior to 21.0.0.182 for Windows 10
  • Adobe Flash Player for Internet Explorer 10 and 11 prior to 21.0.0.182 for Windows 8.0 and 8.1
  • Adobe Flash Player for Linux prior to 11.2.202.577 for Linux
  • AIR Desktop Runtime prior to 21.0.0.176 for Windows and Macintosh
  • AIR SDK prior to 21.0.0.176 for Windows, Macintosh, Android and iOS
  • AIR SDK & Compiler prior to 21.0.0.176 for Windows, Macintosh, Android and iOS
  • AIR for Android prior to 21.0.0.176 for Android

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities:Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Adobe Flash Player and Adobe AIR are prone to multiple vulnerabilities which could allow for remote code execution. These vulnerabilities are as follows:

  • Integer overflow vulnerabilities that could lead to code execution. (CVE-2016-0963, CVE-2016-0993, CVE-2016-1010)
  • Use-after-free vulnerabilities that could lead to code execution. (CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, CVE-2016-1000)
  • Heap overflow vulnerability that could lead to code execution. (CVE-2016-1001)
  • Memory corruption vulnerabilities that could lead to code execution. (CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, CVE-2016-1005)
  • Successful exploitation of these vulnerabilities may allow for arbitrary code execution in the context of the current user. Failed exploit attempts will likely result in denial-of-service conditions.

    RECOMMENDATIONS:

    We recommend the following actions be taken:
    • Install the updates provided by Adobe immediately after appropriate testing.
    • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
    • Do not open email attachments from unknown or untrusted sources. Limit user account privileges to those required only.

    REFERENCES:

    Adobe:
    https://helpx.adobe.com/security/products/flash-player/apsb16-08.html

    CVE:
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0960
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0961
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0962
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0963
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0986
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0987
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0988
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0989
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0990
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0991
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0992
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0993
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0994
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0995
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0996
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0997
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0998
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0999
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1001
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1002
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1005
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1010