Adobe this week released a series of emergency patches for Flash vulnerabilities, including a critical vulnerability...
that is already being exploited in the wild.
The emergency patches address a total of 19 Flash vulnerabilities, the most pressing of which involves an integer overflow vulnerability that Adobe said could allow attackers to execute code. Adobe acknowledged that the vulnerability, identified as CVE-2015-8651, has already been leveraged by attackers.
"Adobe is aware of a report that an exploit for CVE-2015-8651 is being used in limited, targeted attacks," the company wrote on its security blog. "Adobe recommends users update their product installations to the latest version using the instructions referenced in the security bulletin."
Initial news reports said CVE-2015-8651 was reported to Adobe by Kai Wang and Hunter Gao of the Chinese networking firm Huawei, which has come under fire in recent years for its close ties to the Chinese government. However, a subsequent update to the Flash security bulletin removed the acknowledgement for CVE-2015-8651 and any mention of Wang and Gao. No explanation was given by Adobe for the removal.
The emergency patches for Flash in this week's security bulletin also cover a type confusion vulnerability, four memory corruption vulnerabilities and 13 use-after-free vulnerabilities. Like the CVE-2015-8651 vulnerability, all 18 could allow code execution.
This week's patches cap off a difficult year in which security experts and technology professionals have renewed their calls for Adobe to kill Flash once and for all. In October, Adobe released an emergency patch for Flash vulnerabilities that were being exploited in a series of attacks on foreign ministries. And over the summer, officials from Facebook and Mozilla issued scathing rebukes of Adobe after another out-of-band security update was issued following the discovery of more Flash vulnerabilities in the Hacking Team data breach.
In addition, this week's emergency patches come just three weeks after Adobe issued its largest security update of the year, which addressed a total of 79 critical vulnerabilities. With Adobe's recent decisions to support HTML5 development and to rename Flash Professional CC as Animate CC, security experts have speculated that the end of Flash may be coming sooner rather than later.
Read more about the lessons learned from the Adobe data breach
Find out why HTML5 must replace Adobe Flash
Find out why Flash vulnerabilities were a tipping point for Facebook and Mozilla