On Monday, December 28, Adobe has released an emergency security update that fixes 19 vulnerabilities in the Flash Player. Discovered security errors could be used by hackers to execute malicious code on a victim’s computer and gain full control. At risk were all users of Flash Player of all existing operating systems.
In an emergency Adobe’s patch called APSB16-01 presented fixes for 19 security vulnerabilities. At the same time, the company has confirmed that one of the 0-day vulnerabilities (CVE-2015-8651) has been exploited for targeted attacks.
Among other things, including security issues, there are errors related with type confusion, integer overflow, memory corruption and the vulnerability use-after-free (UAF).
A total of 19 security issues are fixed by this emergency patch, including 13 security vulnerabilities associated with the use of an error after the liberation. Taking advantage of the above security holes an attacker could execute arbitrary code on the target’s system via specially created .swf file.
The vulnerability affects the following versions of Flash Player:
The developers recommend to install the update to all Flash Player users. Versions of Adobe Flash Player, integrated into the browser Google Chrome, Internet Explorer for Windows 8.X, Microsoft Edge and Internet Explorer for Windows 10, will be updated automatically.
In addition, experts from Positive Technologies recommend to use specialized protection against cyber threats – for example, the control security system and compliance with MaxPatrol 8 standards allows to successfully detect exploit attempts of these vulnerabilities.
Let’s not forget that Adobe is planning to abandon Flash Player technology, and encourages all the developers to move to modern web standards like HTML5. Flash Player is known for its large number of vulnerabilities which are constantly exploited by hackers to install malware.