Adobe Flash Player <= 21.0.0.226 Multiple Vulnerabilities (APSB16-15)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote Windows host has a browser plugin installed that is
affected by multiple vulnerabilities.

Description :

The version of Adobe Flash Player installed on the remote Windows
host is equal or prior to 21.0.0.226. It is, therefore, affected by
multiple vulnerabilities :

- Multiple type confusion errors exist that allow an
attacker to execute arbitrary code. (CVE-2016-1105,
CVE-2016-4117)

- Multiple use-after-free errors exist that allow an
attacker to execute arbitrary code. (CVE-2016-1097,
CVE-2016-1106, CVE-2016-1107, CVE-2016-1108,
CVE-2016-1109, CVE-2016-1110, CVE-2016-4108,
CVE-2016-4110, CVE-2016-4121)

- A heap buffer overflow condition exists that allows an
attacker to execute arbitrary code. (CVE-2016-1101)

- An unspecified buffer overflow exists that allows an
attacker to execute arbitrary code. (CVE-2016-1103)

- Multiple memory corruption issues exist that allow an
attacker to execute arbitrary code. (CVE-2016-1096,
CVE-2016-1098, CVE-2016-1099, CVE-2016-1100,
CVE-2016-1102, CVE-2016-1104, CVE-2016-4109,
CVE-2016-4111, CVE-2016-4112, CVE-2016-4113,
CVE-2016-4114, CVE-2016-4115, CVE-2016-4120,
CVE-2016-4160, CVE-2016-4161, CVE-2016-4162,
CVE-2016-4163)

- A flaw exists when loading dynamic-link libraries. An
attacker can exploit this, via a specially crafted .dll
file, to execute arbitrary code. (CVE-2016-4116)

See also :

https://helpx.adobe.com/security/products/flash-player/apsb16-15.html
http://www.nessus.org/u?0cb17c10

Solution :

Upgrade to Adobe Flash Player version 21.0.0.242 or later.

Alternatively, Adobe has made version 18.0.0.352 available for those
installations that cannot be upgraded to the latest version.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true