Today Adobe released an critical update for their Flash Player APSB16-08 that addresses 23 vulnerabilities. The update had been expected on Tuesday already, but had been held back due to the last-minute inclusion of CVE-2016-1010, a vulnerability that is currently under targeted attack in the wild. A successful exploit of this vulnerability gives the attacker Remote Code Execution on the target machine. Attack vector includes malicious websites set up for the purpose of attack using Search Engine Poisoning, “normal” websites that have been hacked and are under the control of the attacker, and e-mailed documents (Word, PDF) that include a malicious Flash component.
The vulnerability was found at Kaspersky Labs, by Anton Ivanov.
Microsoft also released this delayed Flash as an out-of-band update to its Patch Tuesday lineup as MS16-036. With that, we are changing our ranking for the security bulletins for this month – MS16-036 now takes the highest priority followed by MS16-023 for Internet Explorer.