JPCERT-AT-2016-0016
                                                             JPCERT/CC
                                                   2016-04-08(Initial)
                                                   2016-04-13 (Update)

                  <<< JPCERT/CC Alert 2016-04-08 >>>

           Vulnerabilities in Adobe Flash Player (APSB16-10)

        https://www.jpcert.or.jp/english/at/2016/at160016.html


I. Overview

  Adobe Flash Player contains multiple vulnerabilities. A remote
attacker may cause Adobe Flash Player to crash or execute arbitrary
code by convincing a user to open specially crafted contents
leveraging these vulnerabilities. For more information on the
vulnerabilities, please refer to the information provided by
Adobe Systems.

    Security Updates Available for Adobe Flash Player
    https://helpx.adobe.com/security/products/flash-player/apsb16-10.html

  These updates contain a fix for the vulnerability (CVE-2016-1019) 
published as APSA16-01 by Adobe Systems on April 5.

  According to Adobe Systems, attacks leveraging the vulnerability 
(CVE-2016-1019) using the following system are being reported.

  - Adobe Flash Player 20.0.0.306 and earlier
    (Windows 10 and earlier)

  However,  Adobe Systems states that users using Adobe Flash Player 
21.0.0.182 and later are protected from attacks leveraging the 
vulnerability (CVE-2016-1019).


II. Affected Products

  The following versions are affected by these vulnerabilities:

  - Adobe Flash Player 21.0.0.197 and earlier
    (Internet Explorer, Microsoft Edge, Google Chrome, Mozilla Firefox etc.)


III. Solution

  Please update Adobe Flash Player to the latest version listed below:

  - Adobe Flash Player 21.0.0.213
    (Internet Explorer, Google Chrome, Mozilla Firefox etc.)

    Adobe Flash Player Download Center
    https://get.adobe.com/flashplayer/

** Update: 04/13/2016 ***********************************************
  On April 12, 2016 (local time), Microsoft released Adobe Flash Player 
  Update for Internet Explorer and Microsoft Edge. Please apply the update as 
soon as possible by using Microsoft Update, Windows update, and so on.

  - Adobe Flash Player 21.0.0.213
    (Internet Explorer 11 (Windows 8.1 and 10),  Microsoft Edge)
*********************************************************************

  Users can check the version of Adobe Flash Player that they are
using at the following link:

    Adobe Flash Player:Version Information
    https://www.adobe.com/jp/software/flash/about/

  Note that the following browsers contain Adobe Flash Player by 
  default.

  - Google Chrome

** Update: 04/13/2016 ***********************************************
  - Internet Explorer 11 (Windows 8.1 and Windows 10)
  - Microsoft Edge (Windows 10)
*********************************************************************

  The latest version of Adobe Flash Player will be updated when Google 
Chrome is updated. 

** Update: 04/13/2016 ***********************************************
  For Internet Explorer 11 and Microsoft Edge, the latest version of 
Adobe Flash Player will be applied through Windows Update etc.
For more information, please refer to the following:

    MS16-050
    Security Update for Adobe Flash Player (3154132)
    https://technet.microsoft.com/en-us/library/security/ms16-050

  * Even if you use a web browser other than Internet Explorer, there is
    software that uses Adobe Flash Player installed for Internet
    Explorer, such as Microsoft Office, so please update Adobe Flash
    Player for Internet Explorer as well.
*********************************************************************


IV. References

    Adobe Systems
    Security Advisory for Adobe Flash Player
    https://helpx.adobe.com/security/products/flash-player/apsa16-01.html

    Adobe Product Security Incident Response Team (PSIRT) Blog 
    Security Updates Available for Adobe Flash Player (APSB16-10)
    http://blogs.adobe.com/psirt/?p=1334

    Adobe Product Security Incident Response Team (PSIRT) Blog
    Security Advisory posted for Adobe Flash Player  (APSA16-01)
    http://blogs.adobe.com/psirt/?p=1330

    proofpoint
    Killing a Zero-Day in the Egg: Adobe CVE-2016-1019
    https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg

    FireEye
    CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit
    https://www.fireeye.com/blog/threat-research/2016/04/cve-2016-1019_a_new.html

** Update: 04/13/2016 ***********************************************
    Microsoft Security Bulletin MS16-050 - Critical
    Security Update for Adobe Flash Player (3154132)
    https://technet.microsoft.com/en-us/library/security/ms16-050
*********************************************************************


  If you have any information regarding this alert, please contact
JPCERT/CC.

________
Revision History
2016-04-08 First edition
2016-04-13 Updated "Solution" and "References"

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600  FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/