CVE-2016-1010
Published: 12 March 2016
Summary
CVE-2016-1010 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Apple Mac Os X. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
An integer overflow vulnerability, tracked as CVE-2016-1010 and assigned CWE-190, affects Adobe Flash Player versions before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X, before 11.2.202.577 on Linux, as well as Adobe AIR, Adobe AIR SDK, and Adobe AIR SDK & Compiler before 21.0.0.176. The flaw permits arbitrary code execution through unspecified vectors and is distinct from CVE-2016-0963 and CVE-2016-0993. It carries a CVSS 3.1 base score of 8.8, reflecting network attack vector, low complexity, and no required privileges.
Attackers can trigger the issue by supplying specially crafted content that victims are induced to process in the affected Flash Player or AIR runtime. Successful exploitation grants the ability to execute arbitrary code, potentially leading to full compromise of the affected system, with user interaction required to initiate the attack.
OpenSUSE security advisories referenced in the disclosure recommend applying vendor-supplied updates that address the integer overflow in the listed products. Corresponding patches were issued to bring Flash Player and AIR installations to the fixed versions noted in the CVE description.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-2114
Vulnerability details
Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before…
more
21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0963 and CVE-2016-0993.
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification and installation of vendor patches that remediate the integer-overflow flaw in Flash Player/AIR.
Restricts or disables execution of untrusted mobile code (Flash) that is the attack vector for the crafted content triggering CVE-2016-1010.
Enforces least functionality by removing or disabling unnecessary Flash runtime components, eliminating the vulnerable attack surface.