James Rowney, MCSE – server infrastructure service manager for Verismic Software
Adobe today released its previously announced update to Flash Player covering 25 critical vulnerabilities that if exploited could allow for remote code execution, including one now in the wild.
The headline vulnerability in this update is CVE-2016-4117 that Adobe confirmed does exist in the wild, but the company said it is not aware of reports that the vulnerability is being actively exploited. However, if the confusion vulnerabilities in CVE-2016-4117 were exploited they could potentially allow an attacker to take control of the affected system.
Security bulletin APSB16-15 covers systems running Windows, Macintosh, Linux and ChromeOS and nine versions of Flash Player and Air. Adobe warned the public on Patch Tuesday on May 10 that this update was coming through. The earlier updates covered 97 vulnerabilities.
"Bulletin APSB16-15 would normally have been released in line with Microsoft patch Tuesday releases and one of the CVE's is actually referenced in MS16-064. It seems that the reason for pulling this update from their patch Tuesdays release this week was to address a last minute vulnerability which is not covered by their Microsoft counterpart," James Rowney, server infrastructure service manager for Verismic Software, told SCMagazine in an email.
The other patches resolved several different vulnerabilities including, use-after-free, memory corruption and heap buffer overflow all of which could lead to remote code execution.Updated with James Rowney's quote.