Adobe has pushed out a patch for 25 vulnerabilities in Flash Player, including one that is already being targeted in the wild.
The latest fix for the internet's screen door includes a remedy for CVE-2016-4117, the remote code execution flaw that is already being exploited by criminals serving up malware-laden advertisements.
The May update should be considered a top priority for Flash Player on Windows, OS X, and Linux. Microsoft and Google are respectively pushing their own Flash Player updates for IE11, Edge and Chrome.
All 25 of the CVE-listed vulnerabilities addressed in this month's update could allow for remote code execution if exploited:
- CVE-2016-4117 is one of two type confusion vulnerabilities in the update, the other being CVE-2016-1105.
- CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110 are use-after-free errors.
- CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110 all stem from memory corruption vulnerabilities.
- CVE-2016-1101 is a heap buffer overflow vulnerability, while CVE-2016-1103 is a buffer overflow.
- CVE-2016-4116 was described by Adobe as a "vulnerability in the directory search path" that could allow remote code execution.
The updated version of Flash Player for IE, Edge, and Chrome for Windows, OS X and Linux is 18.104.22.168. For Flash Player Desktop Runtime, the updated version is also 22.214.171.124, and for Extended Support Release it is 126.96.36.1992. Adobe Flash Player for Linux (not the Chrome plug-in) and Adobe AIR have also been updated, though Adobe lists those fixes as lower priorities.
The Adobe update comes just two days after Microsoft issued its May round of bulletins, including eight that fix critical vulnerabilities in Internet Explorer, Office, Edge and Windows. ®