Adobe Flash Player Multiple Zero-Day Vulnerabilities (CVE-2016-1010)

March 10, 2016

Summary

Adobe has released security updates for Adobe Flash Player that addresses critical vulnerabilities. This patch update covers multiple Common Vulnerabilities and Exposures identifiers (CVE) as noted in Adobe Security Bulletin APSB16-08. [1]

In conjunction with these flaws, Microsoft has issued an out-of-band patch for Adobe Flash Player when on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10. The Microsoft update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge. [2]

Impact

This set of updates covers vulnerabilities rated as critical by both Adobe and Microsoft. Attackers can remotely take control of affected systems if exploitation is successful. Adobe has noted that there are reports of CVE-2016-1010 already being exploited in targeted attacks. [1]

Vulnerable

  • Adobe Flash Player Desktop Runtime, 20.0.0.306 and earlier (Windows and Macintosh)
  • Adobe Flash Player Extended Support Release, 18.0.0.329 and earlier (Windows and Macintosh)
  • Adobe Flash Player for Google Chrome, 20.0.0.306 and earlier (Windows, Macintosh, Linux and ChromeOS)
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11, 20.0.0.306 and earlier (Windows 10)
  • Adobe Flash Player for Internet Explorer 11, 20.0.0.306 and earlier (Windows 8.1)
  • Adobe Flash Player for Linux, 11.2.202.569 and earlier (Linux)
  • AIR Desktop Runtime, 20.0.0.260 and earlier (Windows and Macintosh)
  • AIR SDK, 20.0.0.260 and earlier (Windows, Macintosh, Android and iOS)
  • AIR SDK & Compiler, 20.0.0.260 and earlier (Windows, Macintosh, Android and iOS)
  • AIR for Android, 20.0.0.233 and earlier (Android)

Recommendations

  • Users and service providers are advised to patch affected systems immediately. 
  • For non-Microsoft platforms, please consult Adobe Security Bulletin APSB16-08 [1]
  • For Microsoft platforms, please consult Microsoft Security Bulletin MS16-036 [2]

References