Adobe has released a security update to address a vulnerability in Flash Player. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.
“Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10,” the company stated in a security bulletin Wednesday.
The vulnerability, tracked as CVE-2016-7855 in the CVE database, is a use-after-free error that could lead to arbitrary code execution. According to OWASP use-after-free errors occur when a program continues to use a pointer after it has been freed. use of such memory can result in error conditions and other unexpected behavior,Confusion over which part of the program is responsible for freeing the memory which leads to system crashes to arbitrary code execution.
This vulnerability exists in Adobe Flash Player versions 18.104.22.168 and earlier for Windows, Macintosh, Linux and Chrome OS. Also affected are versions 22.214.171.1247 and earlier of Adobe Flash Player for Linux.Users are advised to upgrade to Flash Player 126.96.36.199 on Windows and Mac and to version 188.8.131.523 on Linux.The Flash Player runtime bundled with Google Chrome and Microsoft Edge or Internet Explorer 11 on Windows 10 and 8.1 will be updated automatically.
Adobe credited Neel Mehta and Billy Leonard, two security researchers belonging to Google’s Threat Analysis Group, for discovering and reporting the flaw. Adobe has updated Flash various times this year. Today’s emergency release is the fourth such update this year; Adobe also patched zero days under attack in April, May and June.