Adobe has patched several vulnerabilities in its Flash and Shockwave Player that in the the worst case allow an attacker to take full control over the computer. There are no indications the vulnerabilities have been actively attacked before the updates were released, according to Adobe.
In total 9 vulnerabilities in Adobe Flash have been marked as critical. Visiting a malcious or hacked website, viewing a malcious advertisement or opening a Microsoft Office file with an embedded Flash object was sufficient to infect users with malware.
Adobe advises Mac and Windows users to update to Flash Player 22.214.171.124 within 72 hours. This can be done through the automatic update function on Adobe.com. Linux users can install the update when suitable. Adobe bases this advice on experiences in the past and the likelihood that Flash Player on a specific OS is attacked.
In case of Google Chrome, Internet Explorer 11 on Windows 8.1, and Internet Explorer 11 and Edge on Windows 10, the embedded Flash Player will be upgraded through the browser. Through a page on the Adobe website it’s possible to check which version is currently installed.
Adobe has stated it’s unaware of attacks that exploit the patched vulnerabilities.
Besides the patches for Adobe Flash Player, also a security update for Adobe’s Shockwave Player has appeared. The browser plugin is installed on more than 450 million PCs, according to Adobe’s website. The update resolves a vulnerability that, in the worst case, allows an attacker to take full control over the system, similar to several vulnerabilities in Flash Player.
Because Adobe expects that cybercriminals will not soon exploit the vulnerability, the company advises to install the patch within 30 days. In contrary to Flash Player, the ShockWave Player doesn’t feature an automatic update function, which means users have to manually download and update to the version 126.96.36.199.