Adobe has released an emergency security update to its Flash Player to fix multiple vulnerabilities rated as critical. One of the vulnerabilities is actively being exploited by hackers.
The vulnerability (CVE-2015-8651) affects all operating systems and allows a hacker to execute code remotely and take control of a victim's device. Adobe said that the flaw is being used “in limited, targeted attacks,” but users are recommended to download the updated versions in order to keep secure. The flaw was reported to Adobe by Kai Wang and Hunter Gao of Huawei.
Other security flaws have also been resolved, such as a type confusion vulnerability (CVE-2015-8644), four memory corruption vulnerabilities (CVE-2015-8459, CVE-2015-8460, CVE-2015-8636, CVE-2015-8645), and thirteen use-after-free vulnerabilities (CVE-2015-8634, CVE-2015-8635, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, CVE-2015-8650). All allowed attackers to execute code on the user's machine.
The latest version of the Adobe Flash Player from Adobe's website. The patches were released out-of-band, meaning there were deemed problematic enough to warrant making these available now instead of its usual updates every second Tuesday of the month.
Flash is becoming less popular thanks in part to Apple barring it from iOS devices. Facebook is the latest platform to move away from the deeply insecure technology in its video player.