As predicted earlier this week, Adobe has been forced to issue yet another patch for its much-targeted Flash Player, this time fixing 23 vulnerabilities.
APSB16-08 was issued yesterday and covers Windows, Macintosh and Linux platforms.
It’s a critical update that fixes heap overflow, use-after-free, integer overflow and memory corruption vulnerabilities.
One in particular, CVE-2016-1010, is already being used in limited, targeted attacks in the wild, according to Adobe.
In fact, it was that bug that prevented the update from being released on Tuesday on Adobe’s regular security update cycle, according to Qualys CTO, Wolfgang Kandek.
“A successful exploit of this vulnerability gives the attacker Remote Code Execution on the target machine,” he explained in a blog post.
“Attack vector includes malicious websites set up for the purpose of attack using Search Engine Poisoning, ‘normal’ websites that have been hacked and are under the control of the attacker, and e-mailed documents (Word, PDF) that include a malicious Flash component.”
Microsoft has also released a delayed update to take account of the Adobe fix: MS16-036.
“With that, we are changing our ranking for the security bulletins for this month – MS16-036 now takes the highest priority followed by MS16-023 for Internet Explorer,” said Kandek.
Flash is fast becoming marginalized on the web, in part because of its poor track record on security.
It’s not supported by iOS, Android or Windows Phone and will be switched off for display ads by Amazon and Chrome soon.
One positive from that may be the end of exploit kits, which currently rely heavily on exploiting vulnerabilities in the buggy Adobe software, according to F-Secure security adviser, Sean Sullivan.
He wrote in the vendor’s annual threat report out this week that notorious EKs like Angler could become a thing of the past if Chrome and the other major browsers de facto scrap support for Flash.