Adobe issues emergency patch for critical Flash vulnerabilities

Just weeks after its biggest security update of the year, Adobe issued emergency patches for a new round of Flash bugs, including one already being exploited by attackers.

Adobe this week released a series of emergency patches for Flash vulnerabilities, including a critical vulnerability...

that is already being exploited in the wild.

The emergency patches address a total of 19 Flash vulnerabilities, the most pressing of which involves an integer overflow vulnerability that Adobe said could allow attackers to execute code. Adobe acknowledged that the vulnerability, identified as CVE-2015-8651, has already been leveraged by attackers.

"Adobe is aware of a report that an exploit for CVE-2015-8651 is being used in limited, targeted attacks," the company wrote on its security blog. "Adobe recommends users update their product installations to the latest version using the instructions referenced in the security bulletin."

Initial news reports said CVE-2015-8651 was reported to Adobe by Kai Wang and Hunter Gao of the Chinese networking firm Huawei, which has come under fire in recent years for its close ties to the Chinese government. However, a subsequent update to the Flash security bulletin removed the acknowledgement for CVE-2015-8651 and any mention of Wang and Gao. No explanation was given by Adobe for the removal.

The emergency patches for Flash in this week's security bulletin also cover a type confusion vulnerability, four memory corruption vulnerabilities and 13 use-after-free vulnerabilities. Like the CVE-2015-8651 vulnerability, all 18 could allow code execution.

This week's patches cap off a difficult year in which security experts and technology professionals have renewed their calls for Adobe to kill Flash once and for all. In October, Adobe released an emergency patch for Flash vulnerabilities that were being exploited in a series of attacks on foreign ministries. And over the summer, officials from Facebook and Mozilla issued scathing rebukes of Adobe after another out-of-band security update was issued following the discovery of more Flash vulnerabilities in the Hacking Team data breach.

In addition, this week's emergency patches come just three weeks after Adobe issued its largest security update of the year, which addressed a total of 79 critical vulnerabilities. With Adobe's recent decisions to support HTML5 development and to rename Flash Professional CC as Animate CC, security experts have speculated that the end of Flash may be coming sooner rather than later.

Next Steps

Read more about the lessons learned from the Adobe data breach

Find out why HTML5 must replace Adobe Flash

Find out why Flash vulnerabilities were a tipping point for Facebook and Mozilla

Dig Deeper on Security patch management and Windows Patch Tuesday news

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How have recent Flash vulnerabilities affected your organization and its security program?
Cancel
..And, as a result, very annoying weekly updates that require restarting the PC. This model sucks. There has to be something better for cars and IoT.
Cancel
Until disaster strikes people will continue to use Flash. That or site stop supporting it. We all have to learn the hard way.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close