Microsoft has release, December 29th 2015, an emergency patch, with the updated of one security advisory concerning Adobe Flash Player.
Microsoft Security Advisory 2755801
MSA-2755801,released during September 2012, has been updated. The security advisory is concerning updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10, Internet Explorer 11 and Microsoft Edge. KB3132372 has been released for supported editions of for:
- Internet Explorer 10 on Windows 8, Windows Server 2012, and Windows RT;
- Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10;
- Microsoft Edge on Windows 10.
The update addresses the vulnerabilities and Adobe Flash Player 0day (CVE-2015-8651) described in Adobe Security bulletin APSB16-01.
Application of KB3132372 could lead to limited application crashes on Windows 10.
Adobe has release, the December 28th 2015, an emergency patch for Adobe Flash Player dealing with 19 vulnerabilities. This security bulletin has a Critical severity rating.
APSB16-01 is concerning:
- Adobe Flash Player Desktop Runtime 18.104.22.168 and earlier for Windows and Macintosh
- Adobe Flash Player Extended Support Release 22.214.171.1248 and earlier for Windows and Macintosh
- Adobe Flash Player for Google Chrome 126.96.36.199 and earlier for Windows, Macintosh, Linux and ChromeOS
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11 188.8.131.52 and earlier for Windows 10
- Adobe Flash Player for Internet Explorer 10 and 11 184.108.40.206 and earlier for Windows 8.0 and 8.1
- Adobe Flash Player for Linux 220.127.116.114 and earlier for Linux
- AIR Desktop Runtime 18.104.22.168 and earlier for Windows and Macintosh
- AIR SDK 22.214.171.124 and earlier for Windows, Macintosh, Android and iOS
- AIR SDK & Compiler 126.96.36.199 and earlier for Windows, Macintosh, Android and iOS
- AIR for Android 188.8.131.52 and earlier for Android
In particular, a vulnerability with CVE-2015-8651 identifier, that has been discovered by Kai Wang and Hunter Gao of Huawei’s, is reporting exploited in the wild in limited targeted attacks. No details have been provided on this vulnerability, but surely it is time to patch otherwise why did Adobe release an emergency patch during Christmas period, a coordinated disclosure for limited targeted attacks would have been sufficient and could have wait beginning of January.