Adobe addresses new 'actively exploited' critical vulnerability in Flash, users urged to update

article thumbnail

Yet another severe flaw in Adobe's much-maligned Flash Player has been discovered and is being "actively exploited," the company said on Tuesday, and users with Flash installed are being urged to upgrade to the latest version as soon as possible.

The flaw —  assigned CVE ID 2015-3113 — affects Flash Player version 18.0.0.161 and earlier as well as Flash Player Extended Support Release version 13.0.0.292 and earlier on both Windows and Mac. In a security advisory, Adobe said it is aware of "limited, targeted attacks" exploiting this flaw, though known attacks are limited to Windows systems for now.

According to the National Vulnerability Database, CVE-2015-3113 is a "heap-based buffer overflow" which "allows remote attackers to execute arbitrary code via unspecified vectors."

Mac users with Flash installed separately should update to version 18.0.0.194. Those who have Flash Player's automatic update capability enabled —  or those who use Chrome, which ships its own version of Flash —  should have already received the patch.

Users can check the version of Flash installed on their system by visiting Adobe's About Flash Player page or right-clicking on Flash content in their browser and choosing "About Adobe (or Macromedia) Flash Player" from the contextual menu. Instructions for enabling automatic updates or manually updating Flash can be found here.