JPCERT-AT-2017-0018
JPCERT/CC
2017-05-10
<<< JPCERT/CC Alert 2017-05-10 >>>
Alert Regarding Vulnerabilities in Adobe Flash Player (APSB17-15)
https://www.jpcert.or.jp/english/at/2017/at170018.html
I. Overview
Adobe Flash Player contains multiple vulnerabilities. A remote attacker
may cause Adobe Flash Player to crash or execute arbitrary code by
convincing a user to open specially crafted contents leveraging these
vulnerabilities. For more information on the vulnerabilities, please
refer to the information provided by Adobe.
Security Updates Available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb17-15.html
II. Affected Products
The following versions are affected by these vulnerabilities:
- Adobe Flash Player Desktop Runtime (25.0.0.148) and earlier
(Windows and Linux)
- Adobe Flash Player Desktop Runtime (25.0.0.163) and earlier
(Macintosh)
- Adobe Flash Player for Google Chrome (25.0.0.148) and earlier
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (25.0.0.148) and earlier
(Windows 10 and Windows 8.1)
Users can check the version of Adobe Flash Player that they are using
at the following link:
Adobe Flash Player: Version Information
https://www.adobe.com/software/flash/about/
III. Solution
Please update Adobe Flash Player to the latest version listed below:
- Adobe Flash Player Desktop Runtime (25.0.0.171)
(Windows, Macintosh, Linux)
- Adobe Flash Player for Google Chrome (25.0.0.171)
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (25.0.0.171)
(Windows 10 and Windows 8.1)
Adobe Flash Player Download Center
https://get.adobe.com/flashplayer/
Please be aware of information provided by any distributors that include
Adobe Flash Player in their products such as web browsers.
Note that the following browsers contain Adobe Flash Player by default.
- Internet Explorer 11 (Windows 8.1 and Windows 10)
- Microsoft Edge (Windows 10)
- Google Chrome
For Internet Explorer 11 and Microsoft Edge, the latest version of
Adobe Flash Player will be applied through Windows Update, etc.
Also, the latest version of Adobe Flash Player will be updated when
Google Chrome is updated. For more information, please refer to the
following:
ADV170006 | May Flash Security Update
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170006
* Even if you use a web browser other than Internet Explorer, there
is software that uses Adobe Flash Player installed for Internet
Explorer, such as Microsoft Office, so please update Adobe Flash
Player for Internet Explorer.
IV. Workaround
As a temporary countermeasure until security updates can be applied,
please consider the following workaround such as disabling Flash on
the browser or restricting Flash display to mitigate impacts of the
vulnerability. In addition, applying these countermeasures may affect
other applications. Please carefully consider and test any side effects
prior to applying any of the workaround.
- Limit the Flash content
Please disable Flash on your browser or enable Click-to-Play
features.
For Microsoft Edge, it is recommended to disable Flash on the
browser as a workaround. For more information, please refer
to "V. References".
- Open the security tab on "Internet Options" in Internet Explorer
and change the security level to "High" for the Internet zone and
local intranet zone.
V. References
Adobe Systems Incorporated
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb17-15.html
Adobe Systems Incorporated
Security Bulletins Posted
https://blogs.adobe.com/psirt/?p=1465
ADV170006 | May Flash Security Update
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170006
Microsoft Corporation
Enable/Disable Flash Player for Microsoft Edge (Japanese)
https://answers.microsoft.com/ja-jp/windows/wiki/apps_windows_10-msedge/microsoft-edge/248bf728-44f4-4b4a-ae50-8b66ee7a96ca
If you have any information regarding this alert, please contact
JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top