14 DAY TRIAL // Adobe announced today another zero-day vulnerability in its Flash Player application, which the company says attackers are using in real-world attacks.
Adobe rated the vulnerability (CVE-2016-4117) as critical and said it affects Adobe Flash Player 21.0.0.226 and earlier versions, running on Windows, Macintosh, Linux, and Chrome OS.
The company promised a patch for Flash on Thursday, May 12. Adobe also says the vulnerability is serious, allowing an attacker to crash Flash Player in an unsafe manner that could allow an attacker to take control of the affected system.
The company did not mention it, but this looks like a RCE (remote code execution) vulnerability, which most critical Flash bugs tend to be. But, we're speculating.
Adobe credited Genwei Jiang, a security researcher from FireEye for discovering the vulnerability. Jiang, together with Proofpoint researchers, also discovered a similar Flash zero-day last month. For that case, attackers used the zero-day to deliver the Cerber and Locky ransomware families.
Besides the Flash zero-day pre-patch announcement, Adobe also released security fixes for two products today.
The company pushed a hotfix for the ColdFusion application server platform that fixed three security issues: CVE-2016-1113, CVE-2016-1114, and CVE-2016-1115.
Additionally, Adobe Acrobat and Reader also received a whopping 92 security patches that addressed all sorts of vulnerabilities, ranging from memory corruption issues to use-after-free vulnerabilities.