Adobe Systems has just released Flash Player updates with patches for a zero-day exploit, issuing Flash version 220.127.116.11 for Windows and Macintosh, and version 18.104.22.1681 for Linux. The now outdated Flash Player versions are vulnerable to a zero-day flaw, identified as CVE-2016-4117, which is being used actively to compromise PCs.
“Adobe is aware of reports that an exploit for CVE-2016-4117 exists in the wild,” the software company confirmed. “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.”
Discovered by security researcher Genwei Jiang, the critical zero-day vulnerability affects Windows, Macintosh, Linux, and Chrome OS.
Adobe software affected by this update includes the following:
The full list of vulnerabilities patched with Adobe Flash Player 22.214.171.124 are described as follows:
- These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1105, CVE-2016-4117).
- These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110).
- These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-1101).
- These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2016-1103).
- These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115).
- These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4116).
For a list of acknowledgements highlighting the researchers who discovered the flaws patched in today’s update, see Adobe’s Security Bulletin (APSB16-15).
Macintosh and Windows users running Adobe Flash Player Desktop Runtime should update to Flash Player 126.96.36.199 (17.7 MB) immediately, and Linux users should update to Flash Player 188.8.131.521 by visiting the Adobe Flash Player Download Center. Adobe Flash installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 184.108.40.206 for Windows, Macintosh, Linux and Chrome OS.