Adobe AIR for Mac <= 20.0.0.204 Multiple Vulnerabilities (APSB16-01)

critical Nessus Plugin ID 87658

Synopsis

The remote Mac OS X host has a browser plugin installed that is affected by multiple vulnerabilities.

Description

The version of Adobe AIR installed on the remote Mac OS X host is equal or prior to version 20.0.0.204. It is, therefore, affected by multiple vulnerabilities :

- A type confusion error exists that a remote attacker can exploit to execute arbitrary code. (CVE-2015-8644)

- An integer overflow condition exists that a remote attacker can exploit to execute arbitrary code.
(CVE-2015-8651)

- Multiple use-after-free errors exist that a remote attacker can exploit to execute arbitrary code.
(CVE-2015-8634, CVE-2015-8635, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, CVE-2015-8650, CVE-2016-0959)

- Multiple memory corruption issues exist that allow a remote attacker to execute arbitrary code.
(CVE-2015-8459, CVE-2015-8460, CVE-2015-8636, CVE-2015-8645)

Solution

Upgrade to Adobe AIR version 20.0.0.233 or later.

See Also

https://helpx.adobe.com/security/products/flash-player/apsb16-01.html

Plugin Details

Severity: Critical

ID: 87658

File Name: macosx_adobe_air_apsb16-01.nasl

Version: 1.12

Type: local

Agent: macosx

Published: 12/29/2015

Updated: 5/25/2022

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: Critical

Score: 9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:H/RL:OF/RC:C

CVSS Score Source: CVE-2016-0959

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

CVSS Score Source: CVE-2015-8459

Vulnerability Information

CPE: cpe:/a:adobe:air

Required KB Items: MacOSX/Adobe_AIR/Version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/28/2015

Vulnerability Publication Date: 12/28/2015

CISA Known Exploited Dates: 6/15/2022

Reference Information

CVE: CVE-2015-8459, CVE-2015-8460, CVE-2015-8634, CVE-2015-8635, CVE-2015-8636, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8644, CVE-2015-8645, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, CVE-2015-8650, CVE-2015-8651, CVE-2016-0959

BID: 79700, 79701, 79704, 79705