MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-057

DATE(S) ISSUED:
4/8/2016

SUBJECT:
Multiple Vulnerabilities in Adobe Flash Player Could Allow for Remote Code Execution (APSB16-10)

OVERVIEW:

Multiple vulnerabilities have been discovered in Adobe Flash Player that could allow for remote code execution. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages. Successful exploitation of these vulnerabilities may allow for remote code execution in the context of the current user. Failed exploit attempts will likely result in denial-of-service conditions.


THREAT INTELLIGENCE:

Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier.

SYSTEMS AFFECTED:

  • Adobe Flash Player Desktop Runtime prior to 21.0.0.213 for Windows and Macintosh
  • Adobe Flash Player Extended Support Release prior to 18.0.0.343 for Windows and Macintosh
  • Adobe Flash Player for Google Chrome prior to 21.0.0.213 for Windows, Macintosh, Linux and ChromeOS
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 prior to 21.0.0.213 for Windows 10
  • Adobe Flash Player for Internet Explorer 11 prior to 21.0.0.213 for Windows 8.1
  • Adobe Flash Player for Linux prior to 11.2.202.616 for Linux
  • AIR Desktop Runtime prior to 21.0.0.176 for Windows and Macintosh
  • AIR SDK prior to 21.0.0.176 for Windows, Macintosh, Android and iOS
  • AIR SDK & Compiler prior to 21.0.0.176 for Windows, Macintosh, Android and iOS

RISK:

Government:

  • Large and medium government entities:High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities:High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Adobe Flash Player is prone to multiple vulnerabilities which could allow for remote code execution. These vulnerabilities are as follows:


  • These updates harden a mitigation against JIT spraying attacks that could be used to bypass memory layout randomization mitigations (CVE-2016-1006).
  • These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1015, CVE-2016-1019).
  • These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031).
  • These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033).
  • These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2016-1018).
  • These updates resolve a security bypass vulnerability (CVE-2016-1030).
  • These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-1014).

Successful exploitation of these vulnerabilities may allow for remote code execution in the context of the current user. Failed exploit attempts will likely result in denial-of-service conditions.

 

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Install the updates provided by Adobe immediately after appropriate testing.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

REFERENCES:

Adobe:
https://helpx.adobe.com/security/products/flash-player/apsb16-10.html
http://blogs.adobe.com/psirt/?p=1334

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1006
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1011
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1012
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1013
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1014
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1015
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1016
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1017
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1018
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1019
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1020
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1021
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1022
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1023
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1024
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1025
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1026
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1027
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1028
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1029
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1030
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1031
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1032
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1033