Flash Hit by Another Zero-Day Vulnerability

Like a sailor, desperately panning water out of a sinking ship, Adobe has released an out-of-bound patch for yet another zero-day vulnerability in its Flash Player software. Versions of Flash affected by the vulnerability are those released on 11th October and earlier, from version 23.0.0.185 (or version 11.2.202.637 on Linux).

“The vulnerability is a use-after-free vulnerability that has been designated CVE-2016-7855,” reports Trend Micro. “An attacker could use a malicious Flash file to run malicious code on a user’s system, allowing various threats to be planted on the affected system. The bulletin noted that the vulnerability has been exploited in “limited, targeted attacks” against Windows users.”

“Adobe has released a Flash update which fixes this vulnerability,” Trend Micro explains. “This update brings the current version of Flash to 23.0.0.205. The built-in update mechanism of Flash will either automatically install the update or prompt the user to do so. The versions of Flash that are integrated into Google Chrome and Microsoft Edge/Internet Explorer will receive updates via the update mechanisms of those browsers. For Adobe Flash Player for Linux, the current version is 11.2.202.643.”

If you are still using Flash, then you should update the software immediately, then make a sacrificial offering to the Gods of HTML5.