An actively exploited vulnerability in Adobe Flash has now been patched. The December 2016 Adobe patch also fixes a further 16 Flash vulnerabilities rated as critical and 8 flaws in other Adobe products. In total, the latest update addresses 31 separate vulnerabilities across nine different Adobe products.
The December 2016 patch has been released for Windows, Macintosh, Linux, and the ChromeOS. Users have been advised to apply the patch as soon as possible by upgrading to Flash version 126.96.36.199, although the vulnerabilities in Google Chrome and Internet Explorer will be patched by Google and Microsoft via their own update processes.
The vulnerabilities addressed in the December 2016 Adobe patch are being tracked under the following CVE codes: CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870, CVE-2016-7871, CVE-2016-7872, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875, CVE-2016-7876, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7890, and CVE-2016-7892.
The actively exploited Adobe Flash vulnerability is being tracked as CVE-2016-7892. Adobe has confirmed that an anonymous user informed the company of the exploit, which is being used to target users running Internet Explorer on 32-bit Windows systems. Few details have been released about this vulnerability, although it is understood to be a use-after-free vulnerability that can allow remote code execution.
This is the second actively exploited Adobe Flash vulnerability to be patched in the past three months. In October, an emergency patch was issued to address an actively exploited vulnerability two weeks before the patch Tuesday monthly update.
The other updates that have been released address ‘important’ vulnerabilities in Adobe Animate, Experience Manager, Experience Manager Forms, ColdFusion Builder, Digital Editions and RoboHelp. However, two vulnerabilities affecting DNG Converter and InDesign have been rated as critical and should be addressed as a priority. Adobe does not believe these two critical vulnerabilities are currently being actively exploited in the wild and attackers have historically not targeted either of these products. However, updates should be performed asap.