Zero-day used against users running Windows 7, 8.1, and 10

Oct 26, 2016 16:20 GMT  ·  By

Adobe released today Flash Player version 23.0.0.205 that fixes a critical security flaw discovered by two Google engineers, which they say was used in attacks against Windows users in the wild.

The technical description of this security flaw is "a use-after-free vulnerability that could lead to code execution," which Adobe tracks under the CVE-2016-7855 identifier.

Adobe said an attacker had deployed this vulnerability as part of targeted attacks against users running Windows versions 7, 8.1 and 10.

Neel Mehta and Billy Leonard from Google's Threat Analysis Group discovered CVE-2016-7855, which appears to be used in limited, targeted attacks specific to cyber-espionage (APT) groups.

Adobe releases emergency out-of-band Flash patch

Adobe Flash is embedded in Edge and recent IE versions, so the next Windows security update will fix Flash automatically. Chrome also embeds Flash, and updating Chrome to the latest version should fix the issue.

Users of other browsers are advised to download and install Flash manually, and so are Linux and Mac users.

Neither Google nor Microsoft has issued security releases at the time of writing. Adobe's announcement of an out-of-band update came as a surprise for everyone. Adobe usually releases security updates together with Microsoft on Patch Tuesday, the second Tuesday of every month. Both companies are expected to issue emergency security updates in the following days.

Fourth Flash zero-day patched this year

Updates for Flash running on Windows, Mac, and Linux have been released and are available for download. The latest Adobe Flash Player version numbers are 23.0.0.205 for Windows and Mac, and 11.2.202.643 for Linux distros.

Adobe patched several Flash zero-days this year, including in June (used for cyber-espionage by StarCruft APT), May (used for targeted attacks and delivered via Office files with embedded Flash objects), and April (used for malvertising and pushing Cerber and Locky ransomware).