JPCERT-AT-2016-0001 JPCERT/CC 2016-01-04(Initial) 2016-01-06 (Update) <<< JPCERT/CC Alert 2016-01-04 >>> Vulnerabilities in Adobe Flash Player (APSB16-01) https://www.jpcert.or.jp/english/at/2016/at160001.html I. Overview Adobe Flash Player contains multiple vulnerabilities. A remote attacker may cause Adobe Flash Player to crash or execute arbitrary code by convincing a user to open specially crafted contents leveraging these vulnerabilities. For more information on the vulnerabilities, please refer to the information provided by Adobe Systems. Security Updates Available for Adobe Flash Player https://helpx.adobe.com/security/products/flash-player/apsb16-01.html According to Adobe Systems, limited, targeted attacks leveraging one of these vulnerabilities (CVE-2015-8651) have been observed in the wild. II. Affected Products The following versions are affected by these vulnerabilities: - Adobe Flash Player 20.0.0.228 and earlier (Internet Explorer, Microsoft Edge, Google Chrome) - Adobe Flash Player 20.0.0.235 and earlier (Mozilla Firefox, Apple Safari etc.) III. Solution Please update Adobe Flash Player to the latest version listed below: - Adobe Flash Player 20.0.0.267 (Internet Explorer(Windows 8, 8.1 and 10), Microsoft Edge, Google Chrome, Mozilla Firefox etc.) - Adobe Flash Player 20.0.0.270 (Internet Explorer) ** Update: 01/06/2016 Update ***************************************** On January 5, 2016 (US time), Adobe Flash Player Update was published for Internet Explorer and Microsoft Edge. Please apply the update as soon as possible by using Microsoft Update, Windows update, and so on. - Adobe Flash Player 20.0.0.272 (Internet Explorer 11 (Windows 10), Microsoft Edge) ********************************************************************* Users can check the version of Adobe Flash Player that they are using at the following link: Adobe Flash Player Download Center https://get.adobe.com/flashplayer/ Note that the following browsers contain Adobe Flash Player by default. - Internet Explorer 10 (Windows 8) - Internet Explorer 11 (Windows 8.1 and Windows 10) - Microsoft Edge (Windows 10) - Google Chrome For Internet Explorer and Microsoft Edge, the latest version of Adobe Flash Player will be applied through Windows Update etc. Also, the latest version of Adobe Flash Player will be updated when Google Chrome is updated. For more information, please refer to the following: Adobe Flash Player Download Center https://get.adobe.com/flashplayer/ Microsoft Security Advisory (2755801) Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge https://technet.microsoft.com/en-us/library/security/2755801.aspx Users can check the version of Adobe Flash Player that they are using at the following link: Adobe Flash Player: Version Information https://www.adobe.com/software/flash/about/ * Even if you use a web browser other than Internet Explorer, there is software that uses Adobe Flash Player installed for Internet Explorer, such as Microsoft Office, so please update Adobe Flash Player for Internet Explorer. IV. References Microsoft Security Advisory (2755801) Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge https://technet.microsoft.com/en-us/library/security/2755801.aspx National Police Agency About a security update program for Adobe Flash Player of Adobe Systems Incorporated (JAPANESE) https://www.npa.go.jp/cyberpolice/topics/?seq=17414 US-CERT Adobe Releases Security Updates for Flash Player https://www.us-cert.gov/ncas/current-activity/2015/12/28/Adobe-Releases-Security-Updates-Flash-Player ** Update: 01/06/2016 Update ******************************************* Adobe Systems Flash Player 20.0.0.267 - ActiveX Embedding Issue https://forums.adobe.com/message/8342786 Microsoft Security Advisory (3132372) Update for Adobe Flash Player in Internet Explorer and Microsoft Edge: January 5, 2016 https://support.microsoft.com/en-us/kb/3133431 ********************************************************************* If you have any information regarding this alert, please contact JPCERT/CC. ________ Revision History 2016-01-04 First edition 2016-01-06 Updated "Solution" and "References" ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/