Multiple vulnerabilities in Adobe Flash Player and AIR could allow an unauthenticated, remote attacker to execute arbitrary code.
This update resolves six use-after-free vulnerabilities, 14 memory corruption vulnerabilities, a type confusion vulnerability, and a heap buffer overflow vulnerability that could lead to arbitrary code execution. An attacker could exploit these vulnerabilities by persuading a user to visit a web page that contains crafted Flash content. If successful, the attacker could execute arbitrary code on a targeted system, which could allow the attacker to take control of the system.
The following Adobe products are vulnerable:
- Flash Player Desktop Runtime versions 126.96.36.1996 and prior for Windows and Macintosh
- Flash Player Extended Support Release versions 188.8.131.526 and prior for Windows and Macintosh
- Flash Player versions 184.108.40.2069 and prior for Linux
- AIR Desktop Runtime versions 220.127.116.11 and prior
- AIR SDK versions 18.104.22.168 and prior
- AIR SDK & Compiler versions 22.214.171.124 and prior
Adobe has released a security bulletin at the following link: APSB16-04
Adobe has released software updates at the following links:
Adobe Flash Player for Google Chrome, Microsoft Internet Explorer version 11, and Microsoft Edge can be updated by implementing the latest updates for the respective browsers.
FreeBSD has released a VuXML document at the following link: flash -- multiple vulnerabilities
FreeBSD releases ports collection updates at the following link: Ports Collection Index
Red Hat has released an official and security advisories at the following link: RHSA-2016-0166. Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.
Administrators are advised to apply the appropriate updates.
Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.
Administrators are advised to monitor affected systems.