In a story similar to many from the company’s history, Adobe has pushed out a new emergency update that patches many critical Flash Player bugs. In a security bulletin released yesterday, Adobe announced updates for Linux, Windows and Mac that fix several affected versions of Flash, including Flash Player for Chrome, Edge, Internet Explorer 11, and Linux. These ‘critical vulnerabilities’ were used to initiate some cyberattacks.
According to Adobe’s rating system, a “Critical” issue is the worst of them all, and means that a bug could let “malicious native-code to execute” on a user’s computer. Such took place as a result of this latest issue, with the security bulletin advising: “Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks.”
This time around, there are 23 Flash Player bugs being fixed by the newest update. Given its nature, Adobe is encouraging users to update Flash Player (assuming they have an affected version) immediately. Also affected is AIR for Android, AIR SDK, AIR Desktop Runtime, and AIR SDK & Compiler. According to the security bulletin, the following issues are fixed:
These updates resolve integer overflow vulnerabilities that could lead to code execution (CVE-2016-0963, CVE-2016-0993, CVE-2016-1010). These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, CVE-2016-1000). These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2016-1001). These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, CVE-2016-1005).
Of course, this assumes you still run Flash Player at all. Many websites and services have ditched Flash over its repeated vulnerabilities, and some browsers have disabled it by default, requiring the user to manually enable Flash Player. If you haven’t used it in a while and are concerned about your machine’s security, you could remove the software entirely rather than staying on top of patches.