Adobe patched 31 vulnerabilities across nine different product lines Tuesday morning, including a zero-day vulnerability in Flash Player the company claims is being used in targeted attacks against Internet Explorer users on Windows.
That vulnerability (CVE-2016-7892) is one of 16 bugs in Flash that could lead to code execution if exploited. Currently, little is known about the exploit – it was anonymously reported – other than the fact that it’s a use-after-free vulnerability and that it’s being used in limited, targeted attacks against users running the 32-bit version of IE on Windows, according to a security bulletin issued by the Adobe Tuesday.
Users running any affected versions (220.127.116.114 and 18.104.22.168 and prior) using Flash Player for Linux are encouraged to update to the new version ( 22.214.171.124) as soon as possible.
Today’s Flash zero-day is one of four critical vulnerabilities fixed by Adobe this month. The company also issued updates to address memory corruption vulnerabilities in Animate, a computer animation program it produces, DNG Converter, a free DNG conversion utility it distributes, and InDesign, its desktop publishing platform.
While the company said it wasn’t aware that any of those vulnerabilities were being exploited in the wild, it is nevertheless encouraging users to update to the latest Animate version (126.96.36.199), the latest DNG Converter version (9.8) and the latest InDesign and InDesign server version (12.0.0) to mitigate risk. Adobe claims all three vulnerabilities are critical but gives each one a priority of three, meaning the products aren’t historically targets for attackers.
Adobe also shipped patches for a handful of vulnerabilities it considers ‘important’ on Tuesday. Affected products include Experience Manager — part of its Marketing Cloud infrastructure, ColdFusion Builder, Digital Editions, and RoboHelp, a help authoring tool for Windows users.
The vulnerabilities could be used in cross-site scripting attacks, cross-site request forgery attacks, as well as lead to information disclosure, memory address leaks and other outcomes, according to Adobe.
The update, part of the company’s regularly scheduled Patch Tuesday bulletins, comes a month after it patched nine code execution vulnerabilities in Flash Player. Unlike this month’s patches, none of November’s fixes resolved a publicly exploited flaw.
It’s the second time Adobe has patched a Flash zero-day under attack this fall. In October, two weeks prior to November’s Patch Tuesday, the company was forced to release an emergency update to address a vulnerability uncovered by members of Google’s Threat Analysis Group that attackers were leveraging against Windows 7, 8.1 and 10 users.