Last Friday, Adobe Systems released an ahead-of-schedule update to resolve a widely known vulnerability in Flash Player being actively exploited in the wild. The Flash Player updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.
“Adobe is aware of a report that an exploit for CVE-2015-7645 is being used in limited, targeted attacks,” noted Adobe’s security bulletin (APSB15-27).
The affected Adobe software is listed as follows:
The vulnerabilities patched with Flash Player 19.0.0.226 are described below:
CVE-2015-7645 : Adobe Flash Player 18.x through 18.0.0.252 and 19.x through 19.0.0.207 on Windows and OS X and 11.x through 11.2.202.535 on Linux allows remote attackers to execute arbitrary code via a crafted SWF file, as exploited in the wild in October 2015.
CVE-2015-7647 : Adobe Flash Player before 18.0.0.255 and 19.x before 19.0.0.226 on Windows and OS X and before 11.2.202.540 on Linux allows attackers to execute arbitrary code by leveraging an unspecified “type confusion,” a different vulnerability than CVE-2015-7648.
CVE-2015-7648 : Adobe Flash Player before 18.0.0.255 and 19.x before 19.0.0.226 on Windows and OS X and before 11.2.202.540 on Linux allows attackers to execute arbitrary code by leveraging an unspecified “type confusion,” a different vulnerability than CVE-2015-7647.
Mac and Windows users running Adobe Flash Player Desktop Runtime should update to Flash Player 19.0.0.226 (15.9 MB) immediately, and Linux users should update to Flash Player 11.2.202.540. Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Flash Player 19.0.0.226 on Macintosh, Windows and Linux, and 19.0.0.225 on Chrome OS.
