Another emergency patch fixes 'critical' Flash player flaw

Adobe Flash hit with zero day vulnerability again

Adobe has warned its customers to update Flash player software immediately, following the discovery of a 'critical' flaw that has already been exploited by malware.

The emergency security update released yesterday aims to fix a single vulnerability designated 'CVE-2016-7855'. This use-after-free memory flaw allows hackers to gain full remote access to a system when the user views a harmful flash-media file.

"Adobe is aware of a report that an exploit exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10," said Adobe in a blog post.

A security update has also been released as a precaution for macOS, Linux and ChromeOS operating systems.

Google Threat Analysis Group researchers Neel Mehta and Billy Leonard first spotted the flaw and reported it to Adobe, however an update could not be released before exploits had found their way onto user systems.

Adobe has recommended users update to the latest versions of Flash player, which will fix the flaw and prevent future attacks.

Desktop Flash software, as well as Flash players on Chrome, Microsoft Edge and Internet Explorer 11, using versions 23.0.0.185 and under, are vulnerable to the latest exploit.

Linux users on 11.2.202.637 and under should also update to the latest security patch.

The latest patch follows a similar 'critical' security patch that dropped earlier this month, as Adobe worked to fix 12 significant vulnerabilities affecting use-after-free memory flaws.

These latest security concerns will likely further justify calls from the security community to abandon the Flash player in favour of a more reliable and secure HTML5 format. Many high profile companies, such as Apple, have blocked older unfsafe versions of flash, however some have abandoned the buggy plugin completely.

Following an announcement in May, Google Chrome will begin auto-defaulting to HTML5 format on all but 10 high-traffic websites, such as YouTube and Facebook, by the end of the year.

Browser provider Mozilla announced in July that it would begin slowly blocking Flash content entirely on its Firefox platform, replacing it with HTML by 2017.

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.