An actively exploited code-execution bug in Flash media player has just been patched by Adobe with the release of an emergency update that addresses over two dozen critical vulnerabilities, ArsTechnica reports. “These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system,” Adobe said.
“Today Adobe released the security bulletin APSB16-08, crediting Kaspersky Lab for reporting CVE-2016-1010. The vulnerability could potentially allow an attacker to take control of the affected system. Kaspersky Lab researchers observed the usage of this vulnerability in a very limited number of targeted attacks.
At this time, we do not have any additional details to share on these attacks as the investigation is still ongoing. Even though these attacks are rare, we recommend that everyone get the update from the Adobe site as soon as possible”.
While advising Flash users to install the update as soon as possible, Adobe notes that it is aware of a report that “an exploit for CVE-2016-1010 is being used in limited, targeted attacks”. For those who aren’t aware, CVE-2016-1010 is the designation for an integer overflow vulnerability that allows attackers to remotely execute malicious code on vulnerable computers. The patch brings the latest version of Flash to 220.127.116.11 for Windows and Mac and 18.104.22.1687 for Linux.
We strongly advise all readers to uninstall the Flash, Java, and Silverlight browser extensions from their computers, and re-install / update to latest versions if necessary.