Adobe today released an emergency Flash Player update that includes a patch for a vulnerability being exploited in targeted attacks.
The vulnerability, CVE-2016-7855, was privately disclosed by Neel Mehta and Billy Leonard of the Google Threat Analysis Group. Mehta was one of four researchers credited with finding and disclosing in 2014 the Heartbleed vulnerability. Heartbleed was one of a string of Internet-wide vulnerabilities that was disclosed in 2014 and 2015; it was found in OpenSSL and allowed an attacker to read memory from encrypted sessions.
Adobe said it had no insight into the targeted attacks abusing the Flash zero day; a request for comment from Mehta was not returned in time for publication.
“Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10,” Adobe said in its advisory.
The vulnerability affects Windows, Linux and Mac desktop versions of Flash 23.0.0.185 and earlier, as well as Flash Player for Google Chrome, and Microsoft Edge and Internet Explorer on Windows 10 and 8.1.
Adobe said the flaw is a use-after-free vulnerability, and that users should update to version 23.0.0.205 on all platforms. Use-after-free vulnerabilities are memory corruption issues that expose systems to code execution. Attackers exploit these vulnerabilities by attempting to access memory after it has been freed; attacks can result in a system crash or code execution.
Adobe has updated Flash numerous times this year, including monthly releases every month this year save for August. Today’s emergency release is the fourth such update this year; Adobe also patched zero days under attack in April, May and June.
