An emergency Flash Player update has been issued by Adobe to plug a critical vulnerability that is currently being exploited in the wild. The flaw – which is being tracked as CVE-2016-7855 – is a use-after-free error which could be used for arbitrary code execution. The flaw could allow attackers to take full control of an affected system.
The update has been released for Windows, Macintosh, Linux, and the Chrome OS, although the exploit identified in the wild is being used to target Windows users (versions 7, 8.1, and 10). Due to the high risk of attack, users have been recommended to update Adobe Flash at the earliest opportunity.
Attacks most commonly take place when users with outdated Flash versions visit compromised websites. However, even with careful browsing attacks can still occur. Many legitimate websites host third party adverts which are used by attackers to display malicious adverts. These adverts, which direct users to malicious websites, are often placed on high-traffic websites.
one of the best forms of defense is to disable Flash Player altogether or to configure browsers to require users to manually activate Flash as required. However, this places some reliance on end users to be able to identify “safe websites”. For added protection web filtering solutions can be used to block malicious adverts from being displayed and to carefully control the websites that can be visited by employees.
While the majority of attacks take place via malvertising or malicious websites, attackers are increasingly exploiting Flash vulnerabilities via malicious Word files sent as email attachments. Embedded Flash content is set to run when the email attachments are opened. A robust spam filtering solution can reduce the risk from email-based attacks.
If Flash is installed on any computers on your network, the emergency Flash Player update should be run as soon as possible. Vulnerable versions of Adobe Flash are detailed below:
Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 versions 220.127.116.11 and earlier. Adobe Flash Player for Linux versions 18.104.22.1687 and earlier.
Windows, Mackintosh, and Chrome OS users should upgrade to version 22.214.171.124. Linux users should upgrade to version 126.96.36.1993. Microsoft Edge and Internet Explorer 11 should be updated automatically to the new version.