Adobe has issued a security update for its Flash media player that plugs a large number of critical vulnerabilities including a zero-day bug that is currently being exploited by attackers.
Adobe first warned users about the CVE-2016-4117 zero-day earlier this week.
The flaw was found by Genwei Jian of security vendor FireEye. It is a type confusion vulnerability that can be used to crash Flash Player and remotely execute code.
Today's update handles another type confusion vulnerability, eight use-after-free flaws, 12 memory corruption bugs, and two buffer overflows, all which could be used for remote code execution.
A further flaw, CVE-2016-4116, resolves a vulnerability in directory search paths used to find resources that could allow for the execution of code, Adobe said.
Adobe Flash versions 184.108.40.206 and earlier for Microsoft Windows and Apple OS X are vulnerable, and users are advised to upgrade to 220.127.116.11 as soon as possible.
Flash Player Extended Support Release 18.104.22.1683 and earlier is also vulnerable, and Adobe has issued a patched 22.214.171.1242 version. Flash Player for Linux (126.96.36.1996 and earlier), the AIR Desktop Runtime, AIR software development kit and compiler (188.8.131.52 and earlier) are all vulnerable and should be updated.
Google and Microsoft have issued updates for the built-in Flash player in the Chrome, Edge and Internet Explorer 11 web browsers.