Adobe Flash Sandbox Whitespace 权限提升

CVSS 元临时分数	当前攻击价格 (≈)	CTI兴趣分数
6.3	$0-$5k	0.00

摘要信息

分类为致命的漏洞已在Adobe Flash中发现。此漏洞会影响某些未知进程的组件Sandbox。对作为Whitespace的一部分的操作导致权限提升。另外，有可用的漏洞利用。建议升级受影响的组件。

分类为致命的漏洞已在Adobe Flash中发现。此漏洞会影响某些未知进程的组件Sandbox。对作为Whitespace的一部分的操作导致权限提升。采用 CWE 描述该问题会链接到 CWE-451。此漏洞的脆弱性 2016-09-27由公示人Leone Pontorieri、公示人类型为Mailinglist Post (Full-Disclosure)所提交。该安全通告已在 seclists.org 提供下载。

暂无技术细节。该漏洞的流行度低于平均水平。另外，有可用的漏洞利用。该漏洞的利用方式已向公众披露，存在被利用的风险。现在，可能约为美元 $0-$5k。 MITRE ATT&CK 项目将该攻击技术定义为 T1566.003。

如果存在长度，则其被声明为概念验证。以下网址提供该漏洞利用：seclists.org。估计零日攻击的地下价格约为$25k-$100k。公告指出：

Flash has never fixed these issues and local-with-filesystem sandbox can be optionally enabled, by editing a configuration file. So, Flash still contains the vulnerable piece of code, but it can be exploited only if an uncommon setting is enabled. In this way, these vulnerabilities are “frozen” in the code and their fate is to be reproduced in every future version of Adobe Flash, but it seems unrealistic to use those again in a real world scenario.

建议升级受影响的组件。公告包含以下备注：

Like a lot of love stories, the one between Flash and local files is over. Local-with-filesystem sandbox has today, after a decade, been killed by Adobe, making (almost) obsolete those Flash files using that feature.