Adobe Systems has released Flash Player 220.127.116.11 today with patches for numerous security holes in its Flash software for Mac and Windows. These patches address 23 critical vulnerabilities (CVEs)—one of which an exploit exists for and is being used in the wild—that could potentially allow malicious folks to take control of the affected computer.
Adobe confirmed the tech company is “aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks.”
Affected Adobe software is listed as follows:
The vulnerabilities patched with Flash Player 18.104.22.168 are described as follows:
- These updates resolve integer overflow vulnerabilities that could lead to code execution (CVE-2016-0963, CVE-2016-0993, CVE-2016-1010).
- These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, CVE-2016-1000).
- These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2016-1001).
- These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, CVE-2016-1005).
For a list of acknowledgements highlighting the researchers who discovered the flaws patched in today’s update, see Adobe’s Security Bulletin (APSB16-08).
Mac and Windows users running Adobe Flash Player Desktop Runtime should update to Flash Player 22.214.171.124 (17.7 MB) immediately, and Linux users should update to Flash Player 126.96.36.1997 by visiting the Adobe Flash Player Download Center. Adobe Flash installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 188.8.131.52 for Windows, Macintosh, Linux and Chrome OS.