Yesterday Adobe released their January 2016 Flash Player and Adobe AIR (its application runtime) security updates ahead of schedule to address a critical zero-day (defined) security vulnerability designated as CVE-2015-8651.
The updates address 19 security vulnerabilities (more formally known as CVEs (defined). At the time of writing neither Google nor Microsoft have made available the relevant updates for Google Chrome (v47.0.2526.106, Stable 64 bit has not received this update) and Microsoft Edge/Internet Explorer (respectively). This is most likely due to the holiday period. Microsoft should announce the availability of their Flash update by updating this security advisory for users of Microsoft Edge for Windows 10 and Internet Explorer 10 and 11 installed on Windows 8.0 and 8.1 (respectively).
Update 1: 29th December 2015:
Microsoft have now updated their security advisory. Update kb3132372 (no active web site link yet) is now available for Windows 10, 8.1 and 8.0 users.
Update 2: 31st December 2015:
Google updated Chrome (v47.0.2526.106)(Stable, 64 bit) to Flash Player v188.8.131.527 within hours of the above mentioned update from Microsoft. Apologies for not updating this post sooner.
I’m very impressed that they both made available the appropriate updates so quickly especially during the holiday period.
Adobe and Symantec have stated that limited targeted attacks are exploiting the above mentioned zero-day vulnerability. SecurityWeek elaborates on these attacks stating that they are spear phishing attacks (defined).
Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). The use of this alternative link is now deprecated and will be decommissioned by Adobe on the 22nd of January 2016.
In addition, please follow my recommendation to enable the ASR mitigation of Microsoft EMET as detailed in this post in order to mitigate against Flash based vulnerabilities being exploited in applications that can open Microsoft Office documents and/or Adobe PDF files.