Last Friday, Adobe Systems released an ahead-of-schedule update to resolve a widely known vulnerability in Flash Player being actively exploited in the wild. The Flash Player updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.
“Adobe is aware of a report that an exploit for CVE-2015-7645 is being used in limited, targeted attacks,” noted Adobe’s security bulletin (APSB15-27).
The affected Adobe software is listed as follows:
The vulnerabilities patched with Flash Player 22.214.171.124 are described below:
- CVE-2015-7645 : Adobe Flash Player 18.x through 126.96.36.199 and 19.x through 188.8.131.52 on Windows and OS X and 11.x through 184.108.40.2065 on Linux allows remote attackers to execute arbitrary code via a crafted SWF file, as exploited in the wild in October 2015.
- CVE-2015-7647 : Adobe Flash Player before 220.127.116.11 and 19.x before 18.104.22.168 on Windows and OS X and before 22.214.171.1240 on Linux allows attackers to execute arbitrary code by leveraging an unspecified “type confusion,” a different vulnerability than CVE-2015-7648.
- CVE-2015-7648 : Adobe Flash Player before 126.96.36.199 and 19.x before 188.8.131.52 on Windows and OS X and before 184.108.40.2060 on Linux allows attackers to execute arbitrary code by leveraging an unspecified “type confusion,” a different vulnerability than CVE-2015-7647.
Mac and Windows users running Adobe Flash Player Desktop Runtime should update to Flash Player 220.127.116.11 (15.9 MB) immediately, and Linux users should update to Flash Player 18.104.22.1680. Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Flash Player 22.214.171.124 on Macintosh, Windows and Linux, and 126.96.36.199 on Chrome OS.