Bugzilla – Bug 984695
VUL-0: flash-player: critical vulnerability exploited in the wild (APSA16-03)
Last modified: 2019-05-01 17:17:41 UTC
Heads-up advisory for a release at or after 2016-06-16 https://helpx.adobe.com/security/products/flash-player/apsa16-03.html Security Advisory for Adobe Flash Player Release date: June 14, 2016 Vulnerability identifier: APSA16-03 CVE number: CVE-2016-4171 Platforms: Windows, Macintosh, Linux and Chrome OS Summary: A critical vulnerability (CVE-2016-4171) exists in Adobe Flash Player 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks. Adobe will address this vulnerability in our monthly security update, which will be available as early as June 16. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog. Severity ratings: Adobe categorizes this as a critical vulnerability. Acknowledgments: Adobe would like to thank Anton Ivanov and Costin Raiu of Kaspersky Lab for reporting CVE-2016-4171 and for working with Adobe to help protect our customers.
Reminder: changes of the last update needs to be enhanced, see bug 979422 comment 13.
bugbot adjusting priority
please ping me on IRC once you submitted so I can get in touch with autobuild to speed up the review
Subject: [security-team] Adobe Flash Player version 11.2.202.626 released
See also APSB16-18 https://helpx.adobe.com/security/products/flash-player/apsb16-18.html which lists the relevant CVEs.
https://helpx.adobe.com/security/products/flash-player/apsb16-18.html Security updates available for Adobe Flash Player Release date: June 16, 2016 Vulnerability identifier: APSB16-18 Priority: See table below CVE number: CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135, CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140, CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171 Platform: Windows, Macintosh, Linux and ChromeOS Summary Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks. Please refer to APSA16-03 for additional details. .... Vulnerability Details These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-4144, CVE-2016-4149). These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-4142, CVE-2016-4143, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148). These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2016-4135, CVE-2016-4136, CVE-2016-4138). These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4137, CVE-2016-4141, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171). These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4140). These updates resolve a vulnerability that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2016-4139). Acknowledgments Aleksandar Nikolic of Cisco Talos (CVE-2016-4132) Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero (CVE-2016-4135, CVE-2016-4136, CVE-2016-4137, CVE-2016-4138) willJ of Tencent PC Manager (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4134, CVE-2016-4166) Nicolas Joly of Microsoft Vulnerability Research (CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148) Wen Guanxing from Pangu LAB (CVE-2016-4150, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156) LMX of the Qihoo 360 Codesafe Team (CVE-2016-4141) Dan Caselden of FireEye (CVE-2016-4140) Wen Guanxing from Pangu LAB. (CVE-2016-4151) Genwei Jiang of FireEye (CVE-2016-4149) Sebastian Lekies of Google (CVE-2016-4139) kelvinwang of Tencent PC Manager (CVE-2016-4133) Anton Ivanov of Kaspersky (CVE-2016-4171)
This is an autogenerated message for OBS integration: This bug (984695) was mentioned in https://build.opensuse.org/request/show/402849 13.2:NonFree / flash-player
submitted.
ssomeone also assigned CVE-2016-4126
According to https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4126 this is only in "as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083."
SUSE-SU-2016:1613-1: An update that fixes 36 vulnerabilities is now available. Category: security (critical) Bug References: 984695 CVE References: CVE-2016-4122,CVE-2016-4123,CVE-2016-4124,CVE-2016-4125,CVE-2016-4127,CVE-2016-4128,CVE-2016-4129,CVE-2016-4130,CVE-2016-4131,CVE-2016-4132,CVE-2016-4133,CVE-2016-4134,CVE-2016-4135,CVE-2016-4136,CVE-2016-4137,CVE-2016-4138,CVE-2016-4139,CVE-2016-4140,CVE-2016-4141,CVE-2016-4142,CVE-2016-4143,CVE-2016-4144,CVE-2016-4145,CVE-2016-4146,CVE-2016-4147,CVE-2016-4148,CVE-2016-4149,CVE-2016-4150,CVE-2016-4151,CVE-2016-4152,CVE-2016-4153,CVE-2016-4154,CVE-2016-4155,CVE-2016-4156,CVE-2016-4166,CVE-2016-4171 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): flash-player-11.2.202.626-133.1 SUSE Linux Enterprise Workstation Extension 12 (src): flash-player-11.2.202.626-133.1 SUSE Linux Enterprise Desktop 12-SP1 (src): flash-player-11.2.202.626-133.1 SUSE Linux Enterprise Desktop 12 (src): flash-player-11.2.202.626-133.1
openSUSE-SU-2016:1621-1: An update that fixes 36 vulnerabilities is now available. Category: security (critical) Bug References: 984695 CVE References: CVE-2016-4122,CVE-2016-4123,CVE-2016-4124,CVE-2016-4125,CVE-2016-4127,CVE-2016-4128,CVE-2016-4129,CVE-2016-4130,CVE-2016-4131,CVE-2016-4132,CVE-2016-4133,CVE-2016-4134,CVE-2016-4135,CVE-2016-4136,CVE-2016-4137,CVE-2016-4138,CVE-2016-4139,CVE-2016-4140,CVE-2016-4141,CVE-2016-4142,CVE-2016-4143,CVE-2016-4144,CVE-2016-4145,CVE-2016-4146,CVE-2016-4147,CVE-2016-4148,CVE-2016-4149,CVE-2016-4150,CVE-2016-4151,CVE-2016-4152,CVE-2016-4153,CVE-2016-4154,CVE-2016-4155,CVE-2016-4156,CVE-2016-4166,CVE-2016-4171 Sources used: openSUSE 13.2 NonFree (src): flash-player-11.2.202.626-2.100.1
openSUSE-SU-2016:1625-1: An update that fixes 36 vulnerabilities is now available. Category: security (critical) Bug References: 984695 CVE References: CVE-2016-4122,CVE-2016-4123,CVE-2016-4124,CVE-2016-4125,CVE-2016-4127,CVE-2016-4128,CVE-2016-4129,CVE-2016-4130,CVE-2016-4131,CVE-2016-4132,CVE-2016-4133,CVE-2016-4134,CVE-2016-4135,CVE-2016-4136,CVE-2016-4137,CVE-2016-4138,CVE-2016-4139,CVE-2016-4140,CVE-2016-4141,CVE-2016-4142,CVE-2016-4143,CVE-2016-4144,CVE-2016-4145,CVE-2016-4146,CVE-2016-4147,CVE-2016-4148,CVE-2016-4149,CVE-2016-4150,CVE-2016-4151,CVE-2016-4152,CVE-2016-4153,CVE-2016-4154,CVE-2016-4155,CVE-2016-4156,CVE-2016-4166,CVE-2016-4171 Sources used: openSUSE 13.1 NonFree (src): flash-player-11.2.202.626-165.1