Adobe's May Patch Tuesday offering featured just a single bulletin, APSB16-14, that contained 97 CVEs for its Acrobat and Reader product lines, and the company also sent out an advisory for a Flash Player update expected to be released later this week.
Adobe wrote the Flash Player fix may come as early as May 12, to fix CVE-2016-4117, which is currently being exploited in the wild. The vulnerability exists in Flash Player version 21.0.0.226 in Windows, Macintosh, Linux, and Chrome OS and if exploited could cause a crash and potentially allow an attacker to take control of the affected system.
“Adobe Flash Player only released an advisory today, but it included high-level details of a vulnerability that has been detected in exploits in the wild. If information gleaned from MS16-064 is accurate, this Zero Day will be accompanied by 23 additional CVEs, with the release expected on May 12,” said said Shavlik product manager Chris Goettl in an email to SCMagazine.com.
Michael Gray, vice president of technology at Thrive Networks, told SCMagazine.com by email that he is not surprised another Flash update is imminent.
"At this point, we should be wondering when Flash will just disappear. It's dying a slow death and it's not a surprise to see yet another critical update," he said. "Many application firewalls can disable Flash and it is recommended to this. Fortunately, many of the mainstream browsers have already disabled Flash for outdated versions.”
The majority of the fixes issued today solve problems that could lead to remote code execution, while a few resolve memory leak vulnerabilities, an information disclosure issue, various methods to bypass restrictions on Javascript API execution and vulnerabilities in the directory search path.
