Adobe urges users to patch critical Flash Player flaw

Adobe has issued an urgent out of band update for its popular Flash Player, to plug a serious vulnerability that is currently being exploited by attackers.

The vulnerability allows arbitrary code execution thanks to a bug in how a de-referenced pointer to memory is handled.

In its security bulletin for the vulnerability - rated as critical - Adobe said the updates for the Windows, Linux and Apple OS X versions of Flash Player "provide additional hardening" against the previous CVE-2014-8439 flaw that was patched over a month ago.

Exploit kit researcher Kafeine discovered the Flash vulnerability in the Angler set of attack tools in October this year, security vendor F-Secure said. Exploit kits are used to serve up malware to website visitors through deception as well as taking advantage of vulnerabilities.

It has since found its way into at least two more exploit kits called Astrum and Nuclear, according to F-Secure.

The vulnerability is found in Adobe Flash Player 15.0.223 and earlier versions, as well as 13.x and 11.2.202.418 and previous variants for Linux.

Adobe advised users to update the Flash Player desktop runtime for Windows and Apple OS X to 15.0.0.239.

Microsoft, which bundles Adobe Flash Player in its Internet Explorer 10 and 11 web browsers, has updated its security advisory 2755801 and issued an auto-update patch. The update applies to Windows 8, 8.1, RT as well as Windows Server 2012, 2012 R2.

Google's Chrome web browser which also comes with a built-in version of Adobe Flash Player will also auto-update, Adobe said.