A newly discovered zero-day vulnerability in Adobe Flash Player is being exploited by attackers in the wild. Adobe released a Security Bulletin (APSB16-36) yesterday which patches the vulnerability (CVE-2016-7855).
The critical vulnerability affects Adobe Flash Player 23.0.0.185 and earlier versions for the following operating systems:
- Windows
- Mac
- Linux
- Chrome OS
According to Adobe, an exploit for the vulnerability exists in the wild and is being used in limited, targeted attacks against users running Windows versions 7, 8.1, and 10.
Mitigation advice
Flash Player users are advised to immediately update to the latest version. Since this vulnerability is already being exploited in the wild, users should make updating this software a priority.
Users who have yet to patch can temporarily disable Adobe Flash in the browser by taking the following steps:
Internet Explorer versions 10 and 11
- Open Internet Explorer
- Click on the Tools menu, and then click Manage add-ons
- Under “Show”, select All add-ons
- Select Shockwave Flash Object and then click on the Disable button
You can re-enable Adobe Flash by repeating the same process, selecting Shockwave Flash Object, and clicking on the Enable button.
Guidance for users of earlier versions of Internet Explorer is available on the Microsoft website; select the version of Internet Explorer you are using at the top right corner.
Firefox
- Open Firefox
- Open the browser menu and click Add-ons
- Select the Plugins tab
- Select Shockwave Flash and click Disable
You can re-enable Flash by repeating the same process, selecting Shockwave Flash, and clicking on the Enable button.
Chrome
- Open Chrome
- Enter chrome://plugins/ in the address bar and hit the Enter key
- Click the Disable link under the Adobe Flash Player plugin
You can re-enable Flash by repeating the same process and clicking the Enable link.