Last Friday, Adobe Systems released an ahead-of-schedule update to resolve a widely known vulnerability in Flash Player being actively exploited in the wild. The Flash Player updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.
“Adobe is aware of a report that an exploit for CVE-2015-7645 is being used in limited, targeted attacks,” noted Adobe’s security bulletin (APSB15-27).
The affected Adobe software is listed as follows:
The vulnerabilities patched with Flash Player 126.96.36.199 are described below:
- CVE-2015-7645 : Adobe Flash Player 18.x through 188.8.131.52 and 19.x through 184.108.40.206 on Windows and OS X and 11.x through 220.127.116.115 on Linux allows remote attackers to execute arbitrary code via a crafted SWF file, as exploited in the wild in October 2015.
- CVE-2015-7647 : Adobe Flash Player before 18.104.22.168 and 19.x before 22.214.171.124 on Windows and OS X and before 126.96.36.1990 on Linux allows attackers to execute arbitrary code by leveraging an unspecified “type confusion,” a different vulnerability than CVE-2015-7648.
- CVE-2015-7648 : Adobe Flash Player before 188.8.131.52 and 19.x before 184.108.40.206 on Windows and OS X and before 220.127.116.110 on Linux allows attackers to execute arbitrary code by leveraging an unspecified “type confusion,” a different vulnerability than CVE-2015-7647.
Mac and Windows users running Adobe Flash Player Desktop Runtime should update to Flash Player 18.104.22.168 (15.9 MB) immediately, and Linux users should update to Flash Player 22.214.171.1240. Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Flash Player 126.96.36.199 on Macintosh, Windows and Linux, and 188.8.131.52 on Chrome OS.