The updated version of Flash Player for Windows and Mac, as well as Flash Player that ships with Chrome, Edge and Internet Explorer 11 is 220.127.116.11. The updated version for Linux is 18.104.22.1681.
Adobe said that an attacker had an exploit for the flaw but that it was not aware of the bug being actively exploited.
The company promised it would release a fix for the flaw, tagged as CVE-2016-4117, along with its monthly update for Flash Player by 12 May, so it did meet its deadline.
The update also isn’t particularly large by Flash Player standards, however, as Sophos senior security advisor Paul Ducklin noted, it’s the third month in a row that attackers have found critical bugs in Flash Player before Adobe has managed to patch it.
The steady stream of Flash Player zero days are one reason security experts advise users to uninstall Flash Player.
The fix for the zero day plus another bug addresses a type confusion vulnerability that could lead to code execution, said Adobe. The remaining 24 bugs include buffer overflow and memory corruption issues though Adobe notes that all could allow an attacker to take over a vulnerable system.
Adobe recommends updating Flash Player on all platforms immediately.
- Adobe flags new Flash attack, but patches delayed until later this week
- The week in security: Cybersecurity strategy enlists private sector; AI to complement human security intelligence
- Google outlines how it will kill Adobe Flash Player
- Adobe’s latest Flash zero-day targeted Microsoft Office users
- Adobe: Flash Player under attack again, patch on its way
- Kaspersky: We know the hackers behind latest Flash 0-day
- IDG Security Day – Australia leads the world in infosec