Adobe is expected to release a patch for a “critical” vulnerability in Flash Player in its upcoming monthly security update.
On Tuesday, the American multinational computer software company released a security advisory for Flash Player. In that bulletin, it discusses the vulnerability CVE-2016-4117.
“A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.”
Adobe goes on to note its awareness of reports that the flaw, which was discovered by Genwei Jiang of FireEye, Inc., is currently being exploited in the wild.
Tuesday’s security advisory addresses only CVE-2016-4117, which has led to some confusion about how many bugs will be fixed in the upcoming Flash update.
“If information gleaned from [Microsoft’s account of the Flash Player update] MS16-064 is accurate, this Zero Day will be accompanied by 23 additional CVEs, with the release expected on May 12th,” writes security firm Shavlik, as quoted by Brian Krebs in a blog post. “With this in mind, the recommendation is to roll this update out immediately.”
CVE-2016-4117 represents just the latest flaw to affect Flash Player.
Back in the beginning of December, Adobe patched 79 critical Flash vulnerabilities affecting all platforms, including Windows, Macintosh, Google Chrome, Microsoft Edge, and Internet Explorer. Later that same month, the company released an out-of-band security update that patched an additional 19 critical vulnerabilities in Flash Player.
Adobe has announced it is working to rebrand Flash Professional as Animate. However, many in the industry feel this is a change in name only, which has led some experts (including Krebs) to recommend disabling Flash Player altogether.
“As far as Flash is concerned, the smartest option is probably best to hobble or ditch the program once and for all–and significantly increase the security of your system in the process.”
Those who are interested in uninstalling Flash Player can click here to learn more.
For the latest updates on CVE-2016-4117, Adobe recommends users monitor the Adobe Product Security Incident Response Team blog.
News of this upcoming patch broke on the same day that Microsoft issued 17 new security bulletins.