Multiple Vulnerabilities in Adobe Products Could Allow for Remote Code Execution (APSB16-03, 04, 05, 07)
MS-ISAC ADVISORY NUMBER:2016-030
Multiple vulnerabilities have been discovered in Adobe Connect, Experience Manager, Flash Player and Photoshop CC that could allow for remote code execution. Adobe Connect is software used to create information and general presentations, online training materials, web conferencing, learning modules, and user desktop sharing. Adobe Experience Manager is a Web Content Management System designed to enable users to create, edit, manage and optimize websites across different digital channels such as web and mobile. Adobe Photoshop CC is a graphics editor program. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages. Successful exploitation of these vulnerabilities may allow for remote code execution in the context of the current user.Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are no reports of these vulnerabilities being exploited in the wild.
- Large and medium government entities: HIGH
- Small government entities: HIGH
- Large and medium business entities: HIGH
- Small business entities: HIGH
Adobe Connect, Experience Manager, Flash Player and Photoshop CC are prone to multiple vulnerabilities, the most severe of which could allow for remote code execution. These vulnerabilities are as follows:
A type confusion vulnerability that may lead to code execution (CVE-2016-0985).
Multiple use-after-free vulnerabilities could lead to code execution (CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984).
A heap buffer overflow vulnerability that could lead to code execution (CVE-2016-0971).
Multiple memory corruption vulnerabilities that may lead to code execution (CVE-2016-0951, CVE-2016-0952, CVE-2016-0953, CVE-2016-0964, CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968, CVE-2016-0969, CVE-2016-0970, CVE-2016-0972, CVE-2016-0976, CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980, CVE-2016-0981).
A Java deserialization issue (CVE-2016-0958).
A cross-site scripting vulnerability that could lead to information disclosure (CVE-2016-0955).
An information disclosure vulnerability affecting Apache Sling Servlets Post 2.3.6 (CVE-2016-0956).
A URL filter bypass vulnerability that could be used to circumvent dispatcher rules (CVE-2016-0957).
A cross-site request forgery protection feature (CVE-2016-0948).
An input validation vulnerability (CVE-2016-0949).
A content spoofing vulnerability (CVE-2016-0950).
Successful exploitation of these vulnerabilities could allow for remote code execution in the context of the current user.Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
We recommend the following actions be taken:
Install the updates provided by Adobe immediately after appropriate testing.
Remind users not to visit websites or follow links provided by unknown or untrusted sources.
Limit user account privileges to those required only.
Do not open email attachments from unknown or untrusted sources.