A zero-day vulnerability that exists in Adobe Flash Player 126.96.36.199 and earlier for Windows is currently being exploited by cybercriminals who social engineer users into clicking on malicious links sent via email. In response to the flaw that apparently affects only Internet Explorer customers, Adobe released Flash Player 188.8.131.52.
The zero-day is actually a cross-site scripting (XSS) vulnerability that can be utilized to perform actions on a user’s behalf on any site. This attack is successful only if the potential victim can be tricked into clicking on the cleverly designed link, but as practice shows, this is not a hard task for most cybercrooks.
Besides the XSS problem, six other vulnerabilities were identified not only affecting customers of Adobe Flash Player 184.108.40.206 and earlier versions for Windows, Mac, Solaris and Linux users, but also some Android users.
Adobe Flash Player 220.127.116.11 and earlier versions for Android 4.x, and Adobe Flash Player 18.104.22.168 and earlier versions for Android 3.x and 2.x were appointed as containing the weaknesses.
The other flaws include vulnerabilities such as a memory corruption, a type confusion memory corruption, an MP4 parsing memory corruption, and a couple of security bypass flaws. Another memory corruption vulnerability which affects only the Windows ActiveX control also exists.
All these security issues could allow an attacker to execute a piece of arbitrary code.
Among the individuals and companies who contributed to reporting the vulnerabilities we find Xu Liu of Fortinet's FortiGuard Labs, Bo Qu of Palo Alto Networks, Alexander Gavrun through TippingPoint's Zero Day Initiative, Eduardo Vela Nava of the Google Security Team, and Google.
Adobe Flash Player users are advised to immediately update to the latest variant to make sure they’re protected against the malicious operations that have been spotted in the wild.
Adobe Flash Player 22.214.171.124
is available for download here