Adobe has issued a security update for its Flash media player that plugs a large number of critical vulnerabilities including a zero-day bug that is currently being exploited by attackers.
Adobe first warned users about the CVE-2016-4117 zero-day earlier this week.
The flaw was found by Genwei Jian of security vendor FireEye. It is a type confusion vulnerability that can be used to crash Flash Player and remotely execute code.
Today's update handles another type confusion vulnerability, eight use-after-free flaws, 12 memory corruption bugs, and two buffer overflows, all which could be used for remote code execution.
A further flaw, CVE-2016-4116, resolves a vulnerability in directory search paths used to find resources that could allow for the execution of code, Adobe said.
Adobe Flash versions 21.0.0.226 and earlier for Microsoft Windows and Apple OS X are vulnerable, and users are advised to upgrade to 21.0.0.242 as soon as possible.
Flash Player Extended Support Release 18.0.0.343 and earlier is also vulnerable, and Adobe has issued a patched 18.0.0.352 version. Flash Player for Linux (11.2.202.616 and earlier), the AIR Desktop Runtime, AIR software development kit and compiler (21.0.0.198 and earlier) are all vulnerable and should be updated.
Google and Microsoft have issued updates for the built-in Flash player in the Chrome, Edge and Internet Explorer 11 web browsers.
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Tech in Gov 2025
Forrester's Technology & Innovation Summit APAC 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
