MS-ISAC CYBERSECURITY ADVISORIES
MS-ISAC ADVISORY NUMBER:
Multiple Vulnerabilities in Adobe Flash Player Could Allow for Remote Code Execution (APSB17-04)
There are currently no reports of these vulnerabilities being exploited in the wild.
- Adobe Flash Player Desktop Runtime versions 220.127.116.11 and earlier
- Adobe Flash Player for Google Chrome versions 18.104.22.168 and earlier
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11 versions 22.214.171.124 and earlier
- Large and medium government entities: High
- Small government entities:Medium
- Large and medium business entities:High
- Small business entities:Medium
Home users: Low
Google Android OS is prone to multiple vulnerabilities, the most severe of which could allow for remote code execution. The vulnerabilities are as follows:
- A type confusion vulnerability that could lead to code execution (CVE-2017-2995).
- An integer overflow vulnerability that could lead to code execution (CVE-2017-2987).
- Multiple use-after-free vulnerabilities that could lead to code execution (CVE-2017-2982, CVE-2017-2985, CVE-2017-2993, CVE-2017-2994)..
- Multiple heap buffer overflow vulnerabilities that could lead to code execution (CVE-2017- 2984, CVE-2017-2986, CVE-2017-2992).
- Multiple memory corruption vulnerabilities that could lead to code execution (CVE-2017-2988, CVE-2017-2990, CVE-2017-2991, CVE-2017-2996).
Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system.
We recommend the following actions be taken:
- Install the updates provided by Adobe immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit websites or follow links provided by unknown or untrusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.