search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Adobe Flash memory corruption vulnerability

Vulnerability Note VU#748992

Original Release Date: 2016-06-15 | Last Revised: 2016-06-16

Overview

Adobe Flash contains an unspecified vulnerability that is currently being exploited in the wild.

Description

Adobe Flash Player 21.0.0.242 and earlier contain an unspecified vulnerability that an allow a remote, unauthenticated attacker to execute arbitrary code. This vulnerability is being exploited in the wild. Please see Adobe Security Advisory APSA16-03 for more details.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), PDF file, Microsoft Office document, or any other document that supports embedded SWF content, an attacker may be able to execute arbitrary code. The vulnerability reportedly affects Flash Player 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS.

Solution

Apply an update

This issue is addressed in Flash Player versions 22.0.0.192, 18.0.0.360, and 11.2.202.626. Please see Adobe Security Bulletin APSB16-18 for more details.

Disable flash in your web browser

Adobe has provide guidance for how to configure Flash in various web browsers. Via the appropriate browser settings, configure Flash to be disabled or at the very least configure Flash to only execute when it is clicked.

Uninstall Flash

Adobe has provided guidance for how to uninstall Flash Player on Windows and how to uninstall Flash Player on the Mac.

Vendor Information

748992
 

Adobe Affected

Updated:  June 16, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 7.1 E:F/RL:U/RC:C
Environmental 7.1 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This vulnerability was reported by Adobe, who in turn credits Anton Ivanov and Costin Raiu of Kaspersky Lab.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2016-4171
Date Public: 2016-06-14
Date First Published: 2016-06-15
Date Last Updated: 2016-06-16 17:15 UTC
Document Revision: 9

Sponsored by CISA.