Adobe has released an out-of-bound patch for Flash Player due to a zero-day vulnerability. According to Adobe’s bulletin (APSB16-36), versions of Flash from 23.0.0.185 and earlier (released on October 11) are affected. (Adobe Flash Player for Linux uses a separate version numbering system; for that product versions 11.2.202.637 and earlier are vulnerable.) We urge all users who still have Flash installed to update to the version released today as soon as possible.
The vulnerability is a use-after-free vulnerability that has been designated CVE-2016-7855. An attacker could use a malicious Flash file to run malicious code on a user’s system, allowing various threats to be planted on the affected system. The bulletin noted that the vulnerability has been exploited in “limited, targeted attacks” against Windows users.
Adobe has released a Flash update which fixes this vulnerability. This update brings the current version of Flash to 23.0.0.205. The built-in update mechanism of Flash will either automatically install the update or prompt the user to do so. The versions of Flash that are integrated into Google Chrome and Microsoft Edge/Internet Explorer will receive updates via the update mechanisms of those browsers. For Adobe Flash Player for Linux, the current version is 11.2.202.643.
Trend Micro Deep Security and Vulnerability Protection protect user systems from any threats that may target this vulnerability via the following DPI rule:
- 1008003—Adobe Flash Player Use-After-Free Vulnerability
TippingPoint customers are protected from attacks exploiting these vulnerability with the following MainlineDV filter:
- 25498: HTTP: Adobe Flash AMF Use-After-Free Vulnerability
