Adobe Flash memory corruption vulnerability
Original Release date: 15 Jun 2016 | Last revised: 16 Jun 2016

Overview
Adobe Flash contains an unspecified vulnerability that is currently being exploited in the wild.

Description

Adobe Flash Player 21.0.0.242 and earlier contain an unspecified vulnerability that an allow a remote, unauthenticated attacker to execute arbitrary code.

This vulnerability is being exploited in the wild. Please see Adobe Security Advisory APSA16-03 for more details.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), PDF file, Microsoft Office document, or any other document that supports embedded SWF content, an attacker may be able to execute arbitrary code.

The vulnerability reportedly affects Flash Player 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS.

Solution

Apply an update
This issue is addressed in Flash Player versions 22.0.0.192, 18.0.0.360, and 11.2.202.626. Please see Adobe Security Bulletin APSB16-18 for more details.

Vendor Information (Learn More)
Vendor
Status
Date Notified
Date Updated
Adobe
Affected

16 Jun 2016
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group
Score
Vector
Base
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal
7.1
E:F/RL:U/RC:C
Environmental
7.1
CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit
This vulnerability was reported by Adobe, who in turn credits Anton Ivanov and Costin Raiu of Kaspersky Lab.
This document was written by Will Dormann.

Other Information
CVE IDs: CVE-2016-4171
Date Public: 14 Jun 2016
Date First Published: 15 Jun 2016
Date Last Updated: 16 Jun 2016
Document Revision: 7

Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply