CVE-2016-0959 in Flash Player
Summary
by MITRE
Use after free vulnerability in Adobe Flash Player Desktop Runtime before 20.0.0.267, Adobe Flash Player Extended Support Release before 18.0.0.324, Adobe Flash Player for Google Chrome before 20.0.0.267, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 before 20.0.0.267, Adobe Flash Player for Internet Explorer 10 and 11 before 20.0.0.267, Adobe Flash Player for Linux before 11.2.202.559, AIR Desktop Runtime before 20.0.0.233, AIR SDK before 20.0.0.233, AIR SDK & Compiler before 20.0.0.233, AIR for Android before 20.0.0.233.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/29/2019
The CVE-2016-0959 vulnerability represents a critical use after free flaw in Adobe Flash Player and Adobe AIR runtime environments affecting multiple platforms and browser integrations. This vulnerability resides within the memory management subsystem of Adobe's multimedia runtime, where improper handling of object references leads to dangerous memory access patterns. The flaw manifests when the Flash Player processes certain multimedia content that triggers the freeing of memory blocks while still maintaining references to them, creating a scenario where subsequent operations attempt to access already freed memory locations. This type of vulnerability falls under the CWE-416 category of Use After Free, which is classified as a serious memory safety issue that can lead to arbitrary code execution. The vulnerability affects Adobe Flash Player Desktop Runtime versions prior to 20.0.0.267, Extended Support Release versions prior to 18.0.0.324, and various browser-specific implementations including Google Chrome, Microsoft Edge, and Internet Explorer 11, as well as the Linux version and Adobe AIR runtime environments. The attack surface is particularly broad given Flash Player's widespread deployment across desktop operating systems and its integration with multiple browser engines.
The technical exploitation of this vulnerability requires a sophisticated attacker to craft specific multimedia content that triggers the memory management error during normal Flash Player operation. When a vulnerable Flash Player processes malicious SWF files or web content containing crafted objects, the runtime executes code that frees memory blocks while maintaining object references, leading to a state where the freed memory can be reallocated and accessed by subsequent operations. The exploitation technique typically involves creating a scenario where an object is freed from memory but references to it persist, allowing attackers to manipulate the freed memory location to redirect execution flow. This vulnerability aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter, where attackers leverage the Flash Player runtime to execute malicious code through crafted content. The memory corruption resulting from this use after free condition can be leveraged to overwrite critical memory structures, potentially leading to privilege escalation or complete system compromise. The vulnerability demonstrates how complex runtime environments like Flash Player can contain memory safety issues that are difficult to detect and prevent through standard security measures.
The operational impact of CVE-2016-0959 extends significantly due to Flash Player's extensive deployment across enterprise networks and consumer devices. Organizations relying on legacy Flash content for business applications, webinars, or multimedia presentations face substantial risk from this vulnerability, as it can be exploited through simple web browsing or file execution scenarios. The vulnerability affects not just desktop environments but also mobile platforms through AIR for Android, indicating a comprehensive attack surface that spans multiple operating systems and execution contexts. Security researchers have documented successful exploitation attempts where attackers used this vulnerability to bypass security controls, escalate privileges, and establish persistent access to compromised systems. The attack vector typically involves phishing emails containing malicious SWF attachments or compromised websites serving crafted Flash content that automatically triggers the vulnerable code path during normal user interaction. This vulnerability's impact is amplified by the fact that Flash Player was commonly enabled by default in most browsers, making exploitation relatively straightforward for threat actors. The vulnerability also impacts Adobe AIR applications, which are commonly used for enterprise software distribution, potentially allowing attackers to compromise entire application ecosystems.
Mitigation strategies for CVE-2016-0959 require immediate action to disable or remove Flash Player components from affected systems, as the vulnerability represents a critical security risk that cannot be adequately addressed through configuration changes alone. Organizations should implement comprehensive patch management programs to ensure all versions of Adobe Flash Player and AIR runtime are updated to the latest secure versions, with particular attention to the specific version numbers mentioned in the vulnerability advisory. Network-based mitigations should include blocking Flash content at the perimeter using web application firewalls or content filtering solutions, while endpoint protection solutions should be configured to monitor for suspicious Flash Player behavior. The remediation process must also include comprehensive vulnerability scanning to identify all systems running vulnerable versions, followed by immediate patch deployment or removal of Flash Player components. Security teams should also implement monitoring for suspicious Flash Player execution patterns and consider implementing application whitelisting policies that restrict Flash Player execution to trusted environments only. Given the nature of the vulnerability and its potential for privilege escalation, organizations should also conduct thorough post-remediation security assessments to ensure no malicious code was executed during the vulnerability window. The incident response plan should include procedures for identifying and isolating systems that may have been compromised through exploitation of this vulnerability, as the use after free condition can lead to persistent backdoor installations.