Adobe today said it will patch Flash Player this week, addressing a vulnerability being exploited in “limited, targeted attacks.”
The flaw, CVE-2016-4171, exists in versions of Flash prior to, and including, 18.104.22.168 on Windows, Macintosh, Linux and ChromeOS platforms.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in its notification.
Adobe said that a patch for the bug, privately disclosed by Kaspersky Lab researcher Anton Ivanov, will be available as early as Thursday.
Initially, Adobe was expected to update Flash today as part of its scheduled Patch Tuesday release. Adobe did release updates for a number of other products lines instead, including the Adobe DNG Software Development Kit, Adobe Brackets, Adobe Creative Cloud Desktop Application, and hotfixes for ColdFusion.
The ColdFusion updates are the highest priority; they affect ColdFusion (2016 Release) Update 1, ColdFusion 11 Update 8 and earlier, and ColdFusion 10 Update 19 and earlier.
The hotfix, which is pushed to machines and does not require a reboot, patches CVE-2016-4159, an input validation vulnerability that could be used in reflected cross-site scripting attacks, Adobe said. This flaw is not under attack, Adobe said.
Adobe also patched a single vulnerability in its DNG SDK. DNG is Adobe’s proprietary image standard. The flaw is a memory corruption vulnerability that affects version 1.4 and earlier.
Adobe Brackets, the company’s open source code editor, was also patched against a pair of vulnerabilities, neither of which is under attack.
Adobe also patched two flaws in the Creative Cloud Desktop Application for Windows machines. Creative Cloud includes a suite of Adobe applications including Photoshop, Illustrator, InDesign and Premiere Pro.
Versions 22.214.171.124 and earlier are affected; the update patched an untrusted search path vulnerability in the installer, and an unquoted service path enumeration flaw in the application.