14 DAY TRIAL // On Tuesday, Adobe published the full security advisory for version 16.0.0.296 of Flash Player, noting that the revision included a fix for a second vulnerability, that was not reported as being exploited in the wild.
One of the security flaws repaired is the infamous CVE-2015-0311 reported by French security researcher Kafeine, which was foisted by Angler expoit kit to infect user computers with Bedep, a malware piece performing ad-fraud.
According to Adobe, it affects Flash Player 16.0.0.287 and below. Kafeine has warned that the exploit included in Angler works on all Windows systems running any version of Internet Explorer and Mozilla Firefox.
This vulnerability allows a threat actor to access memory after it has been freed, and it can lead to execution of arbitrary code on the affected machine.
The second weakness eliminated from Flash Player has been assigned the CVE-2015-0312 identifier and it is a double-free vulnerability that occurs when a pointer is freed twice. Successfully exploiting it can also lead to the possibility of executing arbitrary code.
The discovery of CVE-2015-0312 has been credited to "bilou" from the Chromium Vulnerability Rewards Program.
The new Flash Player is delivered automatically to Google Chrome and Internet Explorer through their update mechanisms.
The same applies where the application has been set to receive fresh versions automatically. Manual installation of the software is also possible, using the resources provided by Adobe.