Adobe Patches 12 Critical Security Flaws and Keeps Flash Safe for One More Month


October 10, 2016

While many security experts say that Adobe should just discontinue Flash and save us all a world of trouble, the company seems entrenched in its decision to support Flash whatever it takes and has issued today another security patch, which this month has fixed 12 critical-level security flaws.

The update arrived like clockwork, on the same day Microsoft released security updates for its products.

Taking into account that Adobe classified the recent patch as “Priority 1” and “Critical,” this is a “must update” Flash version, which users shouldn’t delay installing.

Adobe patched 12 severe issues in Flash

This month’s heroes are security researchers from companies such as Tencent, Palo Alto Networks, COSIG, CloverSec Labs, and Trend Micro, who took their time to report vulnerabilities in Flash.

Eleven of the twelve vulnerabilities Adobe fixed this month lead to remote code execution on the user’s computer, which could potentially allow an attacker to take control of the affected system.

Adobe patched a type confusion vulnerability (CVE-2016-6992), use-after-free vulnerabilities (CVE-2016-6981, CVE-2016-6987), and memory corruption issues (CVE-2016-4273, CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6989, CVE-2016-6990). The twelfth issue is a bypass of Flash’s security measures (CVE-2016-4286), which is also something users would want to avoid.

There is no information to suggest that these vulnerabilities have been used in live attacks prior to Adobe’s October patch.

Updates for Flash running on Windows, Mac, and Linux have been released and are available for download. The latest Adobe Flash Player version numbers are 23.0.0.185 for Windows and Mac, and 11.2.202.637 for Linux distros.

Read full story…