Adobe Systems released a security update for Flash Player to fix 24 critical vulnerabilities, including one that hackers have been exploiting to infect computers with ransomware over the past week.
The company advised users Thursday to upgrade to the newly released Flash Player 18.104.22.168 on Windows and Mac and Flash Player 22.214.171.1246 on Linux. The Flash Player Extended Support Release was also updated to version 126.96.36.1993.
As usual, the Flash Player build bundled with Google Chrome on all platforms, Microsoft Edge and Internet Explorer for Windows 10 and IE for Windows 8.1 will be upgraded automatically through the update mechanisms of those browsers.
Twenty-two of the newly patched vulnerabilities can result in remote code execution on users’ computers, one can lead to a security feature bypass and one can be used to bypass the memory layout randomization mitigation that’s supposed to make exploitation harder in general.
The highlight of this update is the fix for an actively exploited vulnerability tracked as CVE-2016-1019. According to security researchers from Proofpoint, an exploit for this flaw has been used in Web-based attacks to infect computers with file-encrypting ransomware programs since at least March 31.
Fortunately the exploit for CVE-2016-1019 observed in the wild only worked against Flash Player 188.8.131.526 and earlier. Users who had Flash Player 184.108.40.206, released in March, were protected because the exploit doesn’t properly execute on this version and only results in a crash.
The code defect itself does exist in Flash Player 220.127.116.11, but a heap mitigation added by Adobe in that version prevents the bug’s exploitation for remote code execution.
The company has been strengthening the Flash Player heap—the region of memory where the program stores variables—since last year, first in collaboration with Google and then on its own. It seems that those efforts, aimed at making the exploitation of memory corruption vulnerabilities harder, are paying off.