Last Friday, Adobe Systems released an ahead-of-schedule update to resolve a widely known vulnerability in Flash Player being actively exploited in the wild. The Flash Player updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.
“Adobe is aware of a report that an exploit for CVE-2015-7645 is being used in limited, targeted attacks,” noted Adobe’s security bulletin (APSB15-27).
The affected Adobe software is listed as follows:
The vulnerabilities patched with Flash Player 188.8.131.52 are described below:
- CVE-2015-7645 : Adobe Flash Player 18.x through 184.108.40.206 and 19.x through 220.127.116.11 on Windows and OS X and 11.x through 18.104.22.1685 on Linux allows remote attackers to execute arbitrary code via a crafted SWF file, as exploited in the wild in October 2015.
- CVE-2015-7647 : Adobe Flash Player before 22.214.171.124 and 19.x before 126.96.36.199 on Windows and OS X and before 188.8.131.520 on Linux allows attackers to execute arbitrary code by leveraging an unspecified “type confusion,” a different vulnerability than CVE-2015-7648.
- CVE-2015-7648 : Adobe Flash Player before 184.108.40.206 and 19.x before 220.127.116.11 on Windows and OS X and before 18.104.22.1680 on Linux allows attackers to execute arbitrary code by leveraging an unspecified “type confusion,” a different vulnerability than CVE-2015-7647.
Mac and Windows users running Adobe Flash Player Desktop Runtime should update to Flash Player 22.214.171.124 (15.9 MB) immediately, and Linux users should update to Flash Player 126.96.36.1990. Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Flash Player 188.8.131.52 on Macintosh, Windows and Linux, and 184.108.40.206 on Chrome OS.