MS KB3021953: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote Windows host has a browser plugin that is affected by
multiple vulnerabilities.

Description :

The remote host is missing KB3021953. It is, therefore, affected by
the following vulnerabilities :

- Several use-after-free errors exist that allow arbitrary
code execution. (CVE-2015-0313, CVE-2015-0315,
CVE-2015-0320, CVE-2015-0322)

- Several memory corruption errors exist that allow
arbitrary code execution. (CVE-2015-0314,
CVE-2015-0316, CVE-2015-0318, CVE-2015-0321,
CVE-2015-0329, CVE-2015-0330)

- Several type confusion errors exist that allow
arbitrary code execution. (CVE-2015-0317, CVE-2015-0319)

- Several heap-based buffer-overflow errors exist that
allow arbitrary code execution. (CVE-2015-0323,
CVE-2015-0327)

- A buffer overflow error exists that allows arbitrary
code execution. (CVE-2015-0324)

- Several null pointer dereference errors exist that have
unspecified impacts. (CVE-2015-0325, CVE-2015-0326,
CVE-2015-0328)

- A user-after-free error exists within the processing of
invalid m3u8 playlists. A remote attacker, with a
specially crafted m3u8 playlist file, can force a
dangling pointer to be reused after it has been freed,
allowing the execution of arbitrary code.
(CVE-2015-0331)

See also :

https://technet.microsoft.com/library/security/2755801
https://support.microsoft.com/kb/3021953
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
http://www.zerodayinitiative.com/advisories/ZDI-15-047/

Solution :

Install Microsoft KB3021953.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true