Pierluigi Paganini December 13, 2016

Adobe issued security patches that address multiple flaws in 9 products, including fixes for zero-day vulnerabilities that has been exploited in the wild.

Adobe has issued security updates to fix vulnerabilities in nine products, including patches for zero-day flaws that has been exploited in targeted attacks.

The version 24.0.0.186 of Flash Player addresses 17 vulnerabilities, some of them can be exploited by attackers for arbitrary code execution. The most severe vulnerability fixed by the updates is a use-after-free issue, tracked as is CVE-2016-7892, that was reported to Adobe by an individual who wanted to remain anonymous.

The remaining flaws in the Adobe Flash Player vulnerabilities were reported to the company by independent researchers and experts from multiple organizations, Pangu LAB, Tencent, Microsoft, CloverSec Labs, Qihoo 360, Trend Micro’s Zero Day Initiative (ZDI) and Palo Alto Networks.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.” reads the Adobe Security Bulletin.

“Adobe is aware of a report that an exploit for CVE-2016-7892 exists in the wild, and is being used in limited, targeted attacks against users running Internet Explorer (32-bit) on Windows.”

Adobe confirmed the existence in the wild of an exploit code for the CVE-2016-7892 vulnerability, the company also revealed that it was used in limited, targeted attacks against Windows users running a 32-bit version of Internet Explorer.

Adobe also issued other security updates that patch vulnerabilities in other products, including Animate, Experience Manager Forms, DNG Converter, InDesign, ColdFusion Builder, Digital Editions, and RoboHelp.

None of the above vulnerabilities had been exploited in the wild.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Adobe Flash , Zero-Day, hacking)