CVE-2016-4117

What Is Adobe Flash Player?

Adobe Flash Player was the ubiquitous cross-platform browser plugin deployed on over 90% of internet-connected computers at peak installation. Flash processed SWF (Shockwave Flash) files containing ActionScript bytecode, vector graphics, audio, and video — automatically executing on page load without user interaction. This universal execution model, combined with the complexity of Flash's ActionScript Virtual Machine and media processing stack, made Flash the dominant attack surface for browser exploitation throughout the 2010s.

Adobe Flash Player reached end-of-life on December 31, 2020, with all browsers removing Flash support around the same time. CVE-2016-4117 is among the last major Flash zero-days, occurring during the period when browsers were implementing click-to-play requirements that were gradually reducing Flash's exploitation viability.

Overview

CVE-2016-4117 is a critical type confusion zero-day vulnerability in Adobe Flash Player that Adobe confirmed was being exploited in the wild before a patch was available. The vulnerability arises from Flash accessing a resource using an incompatible type, allowing an attacker to corrupt memory and execute arbitrary code. With CVSS 9.8 and UI:N (no user interaction required — Flash auto-executes), any Flash-enabled browser that loaded a malicious page was silently exploited. Adobe released emergency out-of-band security bulletin APSB16-15 on May 12, 2016, patching Flash Player 21.0.0.242. Flash is permanently end-of-life since December 2020. CISA added CVE-2016-4117 to the KEV catalog in March 2022.

Affected Versions

Technical Details

Root Cause: Type Confusion in Flash ActionScript Runtime

CVE-2016-4117 is a type confusion vulnerability (CWE-843) in Adobe Flash Player — specifically an "access of resource using incompatible type." Type confusion occurs in Flash's ActionScript runtime or SWF processing when the interpreter treats a memory object as one type (e.g., a String or Array) but the object was actually allocated or structured as a different type (e.g., a ByteArray or Vector).

The exploitation mechanism for type confusion in Flash:

1. Trigger the type confusion — a crafted SWF file causes Flash's ActionScript VM to create or reference an object with an incorrect type, allowing the attacker to supply an object where the runtime expects a different type
2. Memory disclosure via type mismatch — using the confused type, the attacker can read memory outside the intended object bounds (since the "wrong" type has different size/layout), disclosing heap addresses or adjacent object contents
3. Arbitrary read/write primitive — the type confusion is escalated into arbitrary heap read/write by carefully choosing which types are confused; ByteArray and Vector.<uint> are classic Flash exploitation targets for type confusion because they provide indexed memory access without bounds checking when type-confused
4. Overwrite function pointer or vtable — the write primitive targets a Flash object's vtable or a function pointer, redirecting code execution
5. Shellcode / ROP chain execution — the redirected execution runs attacker-controlled code in the Flash renderer process

Zero-Day Status and Active Exploitation

Adobe confirmed active exploitation of CVE-2016-4117 before releasing the patch — a characteristic of zero-day exploitation. This means:

• Attackers had working exploit code for an unpatched vulnerability
• Users who visited malicious pages were exploited with no available defense (other than disabling Flash)
• The zero-day exploitation window ran until Adobe released APSB16-15 on May 12, 2016

The UI:N CVSS metric reflects that Flash auto-executed SWF content on page load in most browser configurations of the time — visiting a malicious web page or ad silently exploited the vulnerability without any user click or confirmation.

Attack Characteristics

Discovery

CVE-2016-4117 was discovered through active exploitation observation — Adobe reported active exploitation before the vulnerability was formally disclosed to the public. The vulnerability was reported to Adobe, and Adobe responded with the emergency APSB16-15 bulletin.

Exploitation Context

• Zero-day exploitation for targeted attacks: Type confusion vulnerabilities in Flash were highly valued by advanced threat actors; CVE-2016-4117's zero-day status and UI:N exploit characteristics made it suitable for both targeted spear-phishing campaigns (serving malicious SWFs to specific targets) and mass exploitation via exploit kits or malvertising
• Declining but still significant Flash attack surface: By May 2016, Chrome had enabled click-to-activate for Flash content, and Firefox was increasingly restricting Flash — but Internet Explorer and older browsers still auto-executed Flash, and enterprise deployments frequently enabled Flash explicitly for intranet applications; this maintained a substantial exploitation surface
• Flash zero-day cadence in 2016: CVE-2016-4117 was one of multiple Flash zero-days in 2015–2016; the exploitation of Flash continued despite patching pressure because the complexity of Flash's ActionScript VM provided a persistent reservoir of type confusion and memory corruption vulnerabilities
• Adobe Flash EOL legacy: Flash is permanently end-of-life since December 2020; all known vulnerabilities including CVE-2016-4117 remain permanently unpatched for any remaining Flash installations
• CISA KEV (2022): Added March 3, 2022 alongside CVE-2016-1019 and other Flash vulnerabilities, reflecting confirmed exploitation history

Remediation

1. Remove Flash Player — uninstall Adobe Flash Player from all systems immediately. Adobe's Flash uninstaller is available from Adobe; Microsoft's KB4577586 (Windows Update) removes Flash from Windows. Flash is permanently end-of-life and has no further security updates.

2. Verify Flash removal — use Programs and Features (Windows) or equivalent to confirm Flash Player is no longer installed. Check browsers for any remaining Flash plugins.

3. Migrate Flash-dependent applications — identify any remaining Flash content (internal applications, legacy intranet pages, training materials) and migrate to HTML5, WebGL, or other supported technologies.

4. Block Flash at the network level — configure web proxies and endpoint security to block SWF file downloads and Flash-related MIME types as an additional safety layer against Flash re-installation.

5. Upgrade browsers and OS — all modern browsers (Chrome 88+, Firefox 85+, Edge 87+, Safari 14+) have permanently removed Flash support. Systems running legacy browsers that still support Flash should be upgraded urgently.