Adobe has released an out-of-bound patch for Flash Player due to a zero-day vulnerability. According to Adobe’s bulletin (APSB16-36), versions of Flash from 18.104.22.168 and earlier (released on October 11) are affected. (Adobe Flash Player for Linux uses a separate version numbering system; for that product versions 22.214.171.1247 and earlier are vulnerable.) We urge all users who still have Flash installed to update to the version released today as soon as possible.
The vulnerability is a use-after-free vulnerability that has been designated CVE-2016-7855. An attacker could use a malicious Flash file to run malicious code on a user’s system, allowing various threats to be planted on the affected system. The bulletin noted that the vulnerability has been exploited in “limited, targeted attacks” against Windows users.
Adobe has released a Flash update which fixes this vulnerability. This update brings the current version of Flash to 126.96.36.199. The built-in update mechanism of Flash will either automatically install the update or prompt the user to do so. The versions of Flash that are integrated into Google Chrome and Microsoft Edge/Internet Explorer will receive updates via the update mechanisms of those browsers. For Adobe Flash Player for Linux, the current version is 188.8.131.523.
- 1008003—Adobe Flash Player Use-After-Free Vulnerability
TippingPoint customers are protected from attacks exploiting these vulnerability with the following MainlineDV filter:
- 25498: HTTP: Adobe Flash AMF Use-After-Free Vulnerability