JPCERT-AT-2016-0022
JPCERT/CC
2016-05-13(Initial)
2016-05-16(Update)
<<< JPCERT/CC Alert 2016-05-13 >>>
Vulnerabilities in Adobe Flash Player (APSB16-15)
https://www.jpcert.or.jp/english/at/2016/at160024.html
I. Overview
Adobe Flash Player contains multiple vulnerabilities. A remote
attacker may cause Adobe Flash Player to crash or execute arbitrary
code by convincing a user to open specially crafted contents
leveraging these vulnerabilities. For more information on the
vulnerabilities, please refer to the information provided by
Adobe Systems.
Security Updates Available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb16-15.html
These updates contain a fix for the vulnerability (CVE-2016-4117)
published as APSA16-02 by Adobe Systems on May 10.
According to Adobe Systems, attacks leveraging the vulnerability
are being reported. Please update to the latest version as soon as
possible.
II. Affected Products
The following versions are affected by these vulnerabilities:
- Adobe Flash Player : 21.0.0.226 and earlier
(Internet Explorer, Microsoft Edge, Google Chrome, Mozilla Firefox etc.)
- Adobe Flash Player for Google Chrome : 21.0.0.216 and earlier
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11 : 21.0.0.213 and earlier (Windows 10)
- Adobe Flash Player for Internet Explorer 11 : 21.0.0.213 and earlier (Windows 8.1)
** Update: May 16, 2016 Update ***************************************
On May 13, 2016 (local time), Adobe Systems updated the affected
products and versions.
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11 : 21.0.0.241 and earlier (Windows 10)
- Adobe Flash Player for Internet Explorer 11 : 21.0.0.241 and earlier (Windows 8.1)
**********************************************************************
III. Solution
Please update Adobe Flash Player to the latest version listed below:
- Adobe Flash Player : 21.0.0.242
(Internet Explorer, Google Chrome, Mozilla Firefox etc.)
- Adobe Flash Player for Google Chrome : 21.0.0.242
** Update: May 16, 2016 Update ***************************************
On May 13, 2016, Microsoft released Adobe Flash Player Update for
Internet Explorer and Microsoft Edge. Please update to the latest
version by using Windows update, and so on.
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (21.0.0.242)
(Windows 10 and Windows 8.1)
**********************************************************************
Adobe Flash Player Download Center
https://get.adobe.com/flashplayer/
Users can check the version of Adobe Flash Player that they are
using at the following link:
Adobe Flash Player:Version Information
https://www.adobe.com/jp/software/flash/about/
Note that the following browsers contain Adobe Flash Player by
default.
- Google Chrome
** Update: May 16, 2016 Update ***************************************
- Internet Explorer 11 (Windows 8.1 and Windows 10)
- Microsoft Edge (Windows 10)
**********************************************************************
The latest version of Adobe Flash Player will be updated when Google
Chrome is updated.
** Update: May 16, 2016 Update ***************************************
For Internet Explorer and Microsoft Edge, the latest version of
Adobe Flash Player will be applied through Windows Update etc.
For more information, please refer to the following:
MS16-064
Security Update for Adobe Flash Player (3157993)
https://technet.microsoft.com/library/security/MS16-064
* Even if you use a web browser other than Internet Explorer, there
is software that uses Adobe Flash Player installed for Internet
Explorer, such as Microsoft Office, so please update Adobe Flash
Player for Internet Explorer.
**********************************************************************
IV. Workaround
As a temporary countermeasure until a security update can be
applied, please consider the following workaround to mitigate
affects of the vulnerability. Applying these countermeasures may
cause other applications to not run properly. Please carefully
considerand test any side effects prior to applying any of the
workaround.
- Limit the flash content
Please disable Flash on your browser or enable Click-to-Play
features.
- Open the security tab from "Internet Options" in Internet Explorer
and change the security level to "High" for the internet zone and
local intranet zone.
- Apply the Microsoft Enhanced Mitigation Experience Toolkit (EMET)
Attack Surface Reduction (ASR) can be configured to help restrict
Microsoft Office and Internet Explorer from loading the Flash
ActiveX control.
Microsoft Suport Online
The Enhanced Mitigation Experience Toolkit
https://support.microsoft.com/en-us/kb/2458544
V. References
Adobe Product Security Incident Response Team (PSIRT) Blog
Security Updates Available for Adobe Flash Player (APSB16-15)
http://blogs.adobe.com/psirt/?p=1352
Adobe Product Security Incident Response Team (PSIRT) Blog
Security Advisory posted for Adobe Flash Player (APSA16-02)
http://blogs.adobe.com/psirt/?p=1346
Adobe Systems
Security Advisory for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsa16-02.html
** Update: May 16, 2016 Update ***************************************
Microsoft Security Bulletin MS16-064 - Critical
Security Update for Adobe Flash Player (3157993)
https://technet.microsoft.com/library/security/MS16-064
FireEye
CVE-2016-4117: Flash Zero-Day Exploited in the Wild
https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html
**********************************************************************
If you have any information regarding this alert, please contact
JPCERT/CC.
________
Revision History
2016-05-13 First edition
2016-05-16 Updated "II. Affected Products", "III. Solution" and "V. References"
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top