Adobe is racing out a patch for a previously undisclosed flaw in Flash Player that it says is being used in targeted attacks.
Adobe released security updates for several products but delayed its usual Patch Tuesday security update for Flash Player as it prepares a patch for a zero day that is being exploited in the wild. Adobe said it will release the Flash Player update as early as Thursday.
The critical flaw, marked as CVE-2016-4171, was being used in “limited, targeted attacks”, it said.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” the company noted.
The vulnerability affects Flash Player version 18.104.22.168 and earlier for Windows, Mac, Linux and Chrome OS.
This is the third consecutive month that Adobe has been required to patch a flaw in Flash after it was already being exploited. It similarly delayed a patch last month by two days due to a live exploit for Flash Player.
Targeted attacks are generally less of a concern for most browser users, however the risk increases once for-hire exploit kits integrate attacks for the flaw. This often happens within a few days of Adobe releasing patches for critical Flash Player flaws, enabling wide spread attacks from compromised websites or malicious ads.
Adobe on Tuesday also released patches for its DNG Software Development Kit, Adobe Brackets, the Creative Cloud Desktop Application, and Cold Fusion.
The company was not aware of publicly available exploits existing for any of the flaws in these products.
As it is Patch Tuesday, Microsoft released monthly security updates for its server, desktop and web products. The company released 16 bulletins covering 40 vulnerabilities.
While Microsoft was not aware of any zero days for its products, Wolfgang Kandek, CTO of security firm Qualys, highlighted several bugs that enterprise organisations should make a priority to fix.
These included a remote code execution bug on Microsoft’s DNS server. “Organizations that run their DNS server on the same machine as their Active Directory server need to be doubly aware of the danger of this vulnerability,” wrote Kandek.
Another critical remote code execution bug in Microsoft Office should be addressed swiftly. The bug is present in Office RTF format and could be exploited just by sending a malicious file to the target.
“Since RTF can be used to attack through Outlook’s preview pane, the flaw is can be triggered with a simple e-mail without user interaction,” wrote Kandek.
- Adobe on QuickTime: You're up the creek without a paddle
- Adobe flags new Flash attack, but patches delayed until later this week
- Update now if you have Flash Player: Adobe has a patch for a zero day
- Kaspersky: We know the hackers behind latest Flash 0-day
- The week in security: Breach costs arrested but CISOs risk the axe over reporting