Microsoft and Adobe have rolled out patches to block a previously unknown flaw in Flash Player that is being used in targeted attacks.
The attacks are aimed at a select group of users with Flash running Internet Explorer 32-bit on Windows, according to Adobe, which released a fix as part of its regular monthly update aligned with Microsoft’s Patch Tuesday.
“Adobe is aware of a report that an exploit for CVE-2016-7892 exists in the wild, and is being used in limited, targeted attacks against users running Internet Explorer (32-bit) on Windows,” Adobe said.
There are no details as to what group is using the flaw, which was reported anonymously to Adobe.
This is the fifth Flash Player zero-day patched by Adobe this year, the last of which was in October, again in limited, targeted attacks but against users running Windows 7, 8.1 and 10.
Adobe’s December update closes 17 flaws for Windows, macOS, Linux and Chrome OS. The update moves Flash Player for all browsers and platforms up to version 220.127.116.11. The last zero
The patch arrives on the heels of Google kicking off HTML5 by default in Chrome, which will add substantial pressure on websites to replace Flash content players with an HTML5 player.
Google in August that it would disable Flash in Chrome 55, released earlier this month, except for sites that only support Flash. Chrome users would then be prompted to enable Flash on those sites.
Google enabled this feature for one percent of Chrome 55 users this week and half of its users on the Chrome 56 beta channel. In February, when Chrome 56 moves to a stable release, the feature will hit all users.
By October next year it will require all sites to gain user permission before running Flash in Chrome. Ahead of this, starting in January, Chrome users will be prompted to permit Flash for each new site they visit.
Adobe on Tuesday also released patches for Animate, Experience Manager Forms, DNG Converter, Experience Manager, InDesign, ColdFusion Builder, Digital Editions, and RoboHelp.