Adobe plugs 23 code execution holes in Flash

If you still use Flash, you will need to apply today's security update.
Written by Chris Duckett, Contributor

Adobe has released a security update to Flash that plugs 23 code execution vulnerabilities, one of which Adobe said it is aware of being used in the wild.

"Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks," the company said.

Of the security holes plugged today, three worked via integer overflow, 11 were a result of use-after-free vulnerabilities, one came from a heap overflow exploit, while eight used memory corruption vulnerabilities.

The code execution flaws impact Flash users on Windows, OS X, Linux, and Chrome OS, with vulnerabilities in Adobe AIR hitting developers and users on Windows, OS X, Android, and iOS.

Adobe said users of Chrome, Internet Explorer on Windows 10 and 8, and Microsoft Edge browsers would be updated automatically, while other users should either be prompted to update Flash, or visit the Flash Player Download Center to download newly released versions.

Users of Adobe AIR should visit the AIR download page, while developers can update the SDK and compiler from the AIR developer page.

Google's Project Zero team discovered eight of today's vulnerabilities, HPE's Zero Day Initiative found eight, while Alibaba, Tencent, and Microsoft security teams found two each.

Kaspersky Lab uncovered the exploit that is currently being exploited in the wild.

Last month, Adobe pulled a Creative Cloud update that deleted user files from root directories on OS X.

Users who didn't have Adobe Creative Cloud set to automatically update, or didn't immediately download version, weren't affected by the bug, and Adobe removed the offending patch from being available to download.

Editorial standards