Meet CVE-2016-7855, yet another Adobe Flash Player vulnerability of the zero-day type. Adobe has already released a security bulletin, APSB16-36, addressing the issue in versions of Flash from 188.8.131.52 and earlier affected by the flaw. Linux users should keep in mind that Adobe Flash Player for Linux uses a separate version numbering system and versions 184.108.40.2067 and earlier are prone to the bug.
What Is CVE-2016-7855?
This vulnerability is a use-after-free flaw that allows an attacker to use a maliciously crafted Flash file to run bad code on a targeted system. This would allow for a number of threats to be dropped on the system. Unfortunately, the flaw has been leveraged in limited, targeted attacks on Windows.
Ad already mentioned Adobe has issued an update to address the vulnerability. The patch in mind carried the current version of Flash, 220.127.116.11. Thanks to its built-in update mechanism, Flash will either install the patch automatically or will alert the user to proceed.
Furthermore, the versions of Flash directly integrated into Google Chrome and Microsoft Edge and Internet Explorer browsers will get the updates via their own update mechanisms. Once more, for Adobe Flash Player for Linux, the current version is 18.104.22.1683.
This is Adobe’s statement:
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address a critical vulnerability that could potentially allow an attacker to take control of the affected system.
Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10.