Adobe: Update Flash Player Immediately, Exploit in the Wild
Posted on by Derek Erwin
From the department of things we’ve heard before but can’t ignore, Adobe has issued an emergency security update for Flash Player to address critical vulnerabilities. In outdated Flash versions there exists an exploit in the wild for a critical vulnerability in which millions of Adobe Flash users are impacted.
The vulnerability, identified as CVE-2016-1019, exists in Adobe Flash Player 21.0.0.197 and earlier versions for Windows, Macintosh, Linux, and Chrome OS.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said. “CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier.”
According to Trevor Mogg over at Digital Trends, Adobe issued a global alert to all computer users to warn about the major flaw, which is said to leave machines open to ransomware attacks.
Adobe software affected by critical vulnerabilities include the following:
If you still use Adobe Flash, you should immediately update to Flash Player version 21.0.0.213. Check to see which Flash version you’re running right now.
RELATED: How to Tell if Adobe Flash Player Update is Valid
The full list of vulnerabilities patched in the new Adobe Flash includes the following:
- These updates harden a mitigation against JIT spraying attacks that could be used to bypass memory layout randomization mitigations (CVE-2016-1006).
- These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1015, CVE-2016-1019).
- These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031).
- These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033).
- These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2016-1018).
- These updates resolve a security bypass vulnerability (CVE-2016-1030).
- These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-1014).
For a list of acknowledgements highlighting the researchers who discovered the flaws patched in these updates, see Adobe’s Security Bulletin (APSB16-10).
Mac and Windows users running Adobe Flash Player Desktop Runtime should update to Flash Player 21.0.0.213 (17.7 MB) immediately, and Extended Support Release users should update to version 18.0.0.343.
Linux users require a different version and should update to Flash Player 11.2.202.616 by visiting the Adobe Flash Player Download Center.
Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 21.0.0.213 for Windows, Macintosh, Linux and Chrome OS.