Think you have a false positive on this rule?

Sid 1-40780

Message

FILE-FLASH Adobe Flash Player LoadVars use-after-free attempt

Summary

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.306 on Windows and OS X and before 11.2.202.569 on Linux, Adobe AIR before 20.0.0.260, Adobe AIR SDK before 20.0.0.260, and Adobe AIR SDK & Compiler before 20.0.0.260 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0973, CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, and CVE-2016-0984.

Impact

CVSS base score 9.8 CVSS impact score 5.9 CVSS exploitability score 3.9 confidentialityImpact HIGH integrityImpact HIGH availabilityImpact HIGH

CVE-2016-0974:

CVSS base score 9.8

CVSS impact score 5.9

CVSS exploitability score 3.9

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2016-0974: Use-after-free vulnerability in Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.306 on Windows and OS X and before 11.2.202.569 on Linux, Adobe AIR before 20.0.0.260, Adobe AIR SDK before 20.0.0.260, and Adobe AIR SDK & Compiler before 20.0.0.260 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0973, CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, and CVE-2016-0984.

Affected systems

  • adobe air 20.0.0.233
  • adobe air_sdk 20.0.0.233
  • adobe airsdk&_compiler 20.0.0.233
  • adobe flash_player 11.2.202.559
  • adobe flash_player 18.0.0.326
  • adobe flash_player 19.0.0.185
  • adobe flash_player 19.0.0.207
  • adobe flash_player 19.0.0.226
  • adobe flash_player 19.0.0.245
  • adobe flash_player 20.0.0.228
  • adobe flash_player 20.0.0.235
  • adobe flash_player 20.0.0.286

Ease of attack

CVE-2016-0974:

Access Vector

Access Complexity

Authentication

False positives

None known

False negatives

None known

Corrective action

Upgrade to the latest non-affected version of the software.

Apply the appropriate vendor supplied patches.

Contributors

  • Talos research team.
  • This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology.
  • For more information see nvd.

Additional References

  • helpx.adobe.com/security/products/flash-player/apsb16-04.html