Adobe today said it will patch Flash Player this week, addressing a vulnerability being exploited in “limited, targeted attacks.”
The flaw, CVE-2016-4171, exists in versions of Flash prior to, and including, 21.0.0.242 on Windows, Macintosh, Linux and ChromeOS platforms.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in its notification.
Adobe said that a patch for the bug, privately disclosed by Kaspersky Lab researcher Anton Ivanov, will be available as early as Thursday.
Initially, Adobe was expected to update Flash today as part of its scheduled Patch Tuesday release. Adobe did release updates for a number of other products lines instead, including the Adobe DNG Software Development Kit, Adobe Brackets, Adobe Creative Cloud Desktop Application, and hotfixes for ColdFusion.
The ColdFusion updates are the highest priority; they affect ColdFusion (2016 Release) Update 1, ColdFusion 11 Update 8 and earlier, and ColdFusion 10 Update 19 and earlier.
The hotfix, which is pushed to machines and does not require a reboot, patches CVE-2016-4159, an input validation vulnerability that could be used in reflected cross-site scripting attacks, Adobe said. This flaw is not under attack, Adobe said.
Adobe also patched a single vulnerability in its DNG SDK. DNG is Adobe’s proprietary image standard. The flaw is a memory corruption vulnerability that affects version 1.4 and earlier.
Adobe Brackets, the company’s open source code editor, was also patched against a pair of vulnerabilities, neither of which is under attack.
The update is for Windows, Macintosh and Linux machines and patches a JavaScript injection flaw, and a flaw in the Brackets extension manager. Versions 1.6 and earlier are affected, and Adobe urges users to update to 1.7.
Adobe also patched two flaws in the Creative Cloud Desktop Application for Windows machines. Creative Cloud includes a suite of Adobe applications including Photoshop, Illustrator, InDesign and Premiere Pro.
Versions 3.6.0.248 and earlier are affected; the update patched an untrusted search path vulnerability in the installer, and an unquoted service path enumeration flaw in the application.
