Flash Player < 11.7.700.275 / 13.0.0.182 Multiple Vulnerabilities (APSB14-09)

High Nessus Network Monitor Plugin ID 8806

Synopsis

The remote host is running an outdated version of Adobe Flash Player for Internet Explorer that is affected by multiple vulnerabilities.

Description

Versions of Adobe Flash player prior to 11.7.700.275 / 13.0.0.182 are outdated and thus unpatched for the following vulnerabilities :

- A use-after-free error affects the handling of ExternalInterface. With a specially crafted flash object, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (CVE-2014-0506)
- An overflow condition exists which is triggered as user-supplied input is not properly validated when handling ActionScript regular expressions. This may allow a context-dependent attacker to cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2014-0507)
- An unspecified flaw that may allow a context-dependent attacker to bypass security restrictions and gain access to potentially sensitive information. (CVE-2014-0508)
- A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the applications do not validate input passed to the 'ExternalInterface.call()' function before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2014-0509)

Solution

Upgrade to Adobe Flash Player version 13.0.0.182 or later. If 13.x cannot be obtained, 11.7.700.275 has also been patched for these vulnerabilities.

See Also

http://helpx.adobe.com/security/products/flash-player/apsb14-09.html

http://www.securityfocus.com/archive/1/531839/30/0/threaded

Plugin Details

Severity: High

ID: 8806

Family: Web Clients

Published: 2015/07/10

Modified: 2018/09/16

Dependencies: 5158

Nessus ID: 73433, 73435

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:adobe:flash_player

Patch Publication Date: 2014/04/08

Vulnerability Publication Date: 2014/03/27

Reference Information

CVE: CVE-2014-0506, CVE-2014-0507, CVE-2014-0508, CVE-2014-0509

BID: 66208, 66699, 66701, 66703