Adobe released a Flash Player update containing patches for 36 vulnerabilities, including the zero-day CVE-2016-4171, a critical issue that was called out earlier this week as having been spotted hitting targets in the wild.
CVE-2016-4171 affects Flash Player version 18.104.22.168 and earlier in Adobe Desktop Runtime, Extended Support Release, Google Chrome, Microsoft Edge and Internet Explorer 11 and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system, Adobe said.
On Patch Tuesday on June 14 several security professionals expressed concern over CVE-2016-4171 with Kaspersky Lab's Costin Raiu saying in a blog post that the zero-day is being used by an APT gang called ScarCruft to hit several countries including, Russia, Nepal, South Korea, China, India, Kuwait and Romania.
Other issues that were patched include two vulnerabilities that could lead to code execution, six that resolve use-after-free vulnerabilities that could lead to code execution, three that could lead to heap buffer overflow vulnerabilities that could lead to code execution, one fixing a problem in the directory search path used to find resources that could lead to code execution and one that could be exploited to bypass the same-origin-policy and lead to information disclosure.
The remaining CVEs resolve memory corruption vulnerabilities that could lead to code execution.