Adobe issued an update to Flash Player Thursday night to fix an active zero-day vulnerability, along with several other critical issues.
This is the second month in a row that Adobe has had to roll out an out of schedule update to fix an active flaw in Flash Player. The update covers 24 vulnerabilities with one, CVE-2016-1019, known to be actively exploited on systems running Windows 10 and earlier with Flash Player version 126.96.36.1996 and earlier.
The CVE-2016-1019 vulnerability was spotted in the Magnitude Exploit Kit by Proofpoint researcher Kafeine and is capable of allowing remote code execution. In a lucky twist Proofpoint noted that while the new exploit could theoretically work on any version of Flash only older versions had been targeted.
“In other words, equipped with a weapon that could pierce even the latest armor, they only used it against old armor, and in doing so exposed to security researchers a previously unreported vulnerability. We refer to this type of faulty implementation as a “degraded” mode, and it is something that we have observed in the past with CVE-2014-8439 and CVE-2015-0310 in Angler,” Kafeine wrote.
The problems affect Windows, Macintosh, Chrome and Linux. Adobe announced on April 5 that it would issue the patch and recommends anyone using Flash upgrade to the latest version as soon as possible.