Emergency Update Coming for Flash Vulnerability Under Attack

Adobe will release an emergency Flash Player update as soon as Thursday, patching a critical vulnerability that is being publicly attacked.

Adobe will release an emergency Flash Player update as soon as Thursday, patching a critical vulnerability that is being publicly attacked.

Adobe said the vulnerability is in version 21.0.0.197 and earlier for Windows, Mac OS X, Linux and Chrome OS.

“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in an advisory published late this afternoon.

Adobe said that a mitigation introduced on March 10 in Flash 21.0.0.182 protects users against attack; users are urged to update immediately. Adobe said active attacks using CVE-2016-1019 are targeting Windows 7 and Windows XP systems running Flash 20.0.0.306 and earlier.

French researcher Kafeine, who publishes updates on his personal site on exploit kits, is one of three researchers credited with disclosing the bug to Adobe along with FireEye’s Genwei Jiang and Google’s Clement Lecigne.

Kafeine told Threatpost he would not comment before the availability of a patch.

The March 10 Flash Player update was part of Adobe’s regular monthly security update cycle. It patched 18 remote code execution flaws, including one, CVE-2016-1010, being exploited in the wild.

Suggested articles

Discussion

  • Ryan on

    You say version 21.0.0.197 and prior are vulnerable but there is a mitigation for attacks in version 21.0.0.182? What is the mitigation?
    • scifibri on

      Very confusing indeed
    • SubSurge on

      Remove Flash. =)
  • Niki on

    Flash is practically the peak of the graphic for web, and this is making it a very interesting target for a very shady peoples, some of them is even connected to a large companies which wish Flash out of the market, because they wanna enforce the sh*tty HTML5 crapwares to the users. The users have to understand that Flash is the thing which is making the web free and clean, user friendly and high performing multimedia aligned. If someone is saying anything opposite - He is mostly deceiving the users for His and His company good, but not for the end user good.
    • SubSurge on

      Spotted the Flash malware coder. Any software as ridden with security holes as Adobe Flash needs to die. Period. 151 cataloged vulnerabilities this year alone according to cvedetails.com. Such software is the bane of the web, not the king.
  • Richa @ Homesecuritylist on

    Thanks for the update. In fact, I was facing Flash problem for quite sometime and I’m not sure whether this new update is somehow related to that.
  • Iñaki on

    From Advisory: "Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier. A mitigation introduced in Flash Player 21.0.0.182 currently prevents exploitation of this vulnerability, protecting users running Flash Player 21.0.0.182 and later." The vulnerability is not in the last version of Flash
  • Anonymous on

    thansks you ¡
  • flash on

    FLASH MUST DIE.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.