From the department of things we’ve heard before but can’t ignore, Adobe has issued an emergency security update for Flash Player to address critical vulnerabilities. In outdated Flash versions there exists an exploit in the wild for a critical vulnerability in which millions of Adobe Flash users are impacted.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said. “CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 184.108.40.2066 and earlier.”
According to Trevor Mogg over at Digital Trends, Adobe issued a global alert to all computer users to warn about the major flaw, which is said to leave machines open to ransomware attacks.
Adobe software affected by critical vulnerabilities include the following:
If you still use Adobe Flash, you should immediately update to Flash Player version 220.127.116.11. Check to see which Flash version you’re running right now.
The full list of vulnerabilities patched in the new Adobe Flash includes the following:
- These updates harden a mitigation against JIT spraying attacks that could be used to bypass memory layout randomization mitigations (CVE-2016-1006).
- These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1015, CVE-2016-1019).
- These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031).
- These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033).
- These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2016-1018).
- These updates resolve a security bypass vulnerability (CVE-2016-1030).
- These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-1014).
For a list of acknowledgements highlighting the researchers who discovered the flaws patched in these updates, see Adobe’s Security Bulletin (APSB16-10).
Mac and Windows users running Adobe Flash Player Desktop Runtime should update to Flash Player 18.104.22.168 (17.7 MB) immediately, and Extended Support Release users should update to version 22.214.171.1243.
Linux users require a different version and should update to Flash Player 126.96.36.1996 by visiting the Adobe Flash Player Download Center.
Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 188.8.131.52 for Windows, Macintosh, Linux and Chrome OS.