Adobe has issued a security update for its Flash media player that plugs a large number of critical vulnerabilities including a zero-day bug that is currently being exploited by attackers.
Adobe first warned users about the CVE-2016-4117 zero-day earlier this week.
The flaw was found by Genwei Jian of security vendor FireEye. It is a type confusion vulnerability that can be used to crash Flash Player and remotely execute code.
Today's update handles another type confusion vulnerability, eight use-after-free flaws, 12 memory corruption bugs, and two buffer overflows, all which could be used for remote code execution.
A further flaw, CVE-2016-4116, resolves a vulnerability in directory search paths used to find resources that could allow for the execution of code, Adobe said.
Adobe Flash versions 220.127.116.11 and earlier for Microsoft Windows and Apple OS X are vulnerable, and users are advised to upgrade to 18.104.22.168 as soon as possible.
Flash Player Extended Support Release 22.214.171.1243 and earlier is also vulnerable, and Adobe has issued a patched 126.96.36.1992 version. Flash Player for Linux (188.8.131.526 and earlier), the AIR Desktop Runtime, AIR software development kit and compiler (184.108.40.206 and earlier) are all vulnerable and should be updated.
Google and Microsoft have issued updates for the built-in Flash player in the Chrome, Edge and Internet Explorer 11 web browsers.