A newly discovered zero-day vulnerability in Adobe Flash Player is being exploited by attackers in the wild. Adobe released a Security Bulletin (APSB16-36) yesterday which patches the vulnerability (CVE-2016-7855).
The critical vulnerability affects Adobe Flash Player 23.0.0.185 and earlier versions for the following operating systems:
According to Adobe, an exploit for the vulnerability exists in the wild and is being used in limited, targeted attacks against users running Windows versions 7, 8.1, and 10.
Flash Player users are advised to immediately update to the latest version. Since this vulnerability is already being exploited in the wild, users should make updating this software a priority.
Users who have yet to patch can temporarily disable Adobe Flash in the browser by taking the following steps:
Internet Explorer versions 10 and 11
You can re-enable Adobe Flash by repeating the same process, selecting Shockwave Flash Object, and clicking on the Enable button.
Guidance for users of earlier versions of Internet Explorer is available on the Microsoft website; select the version of Internet Explorer you are using at the top right corner.
Firefox
You can re-enable Flash by repeating the same process, selecting Shockwave Flash, and clicking on the Enable button.
Chrome
You can re-enable Flash by repeating the same process and clicking the Enable link.
Symantec and Norton products protect customers from this threat with the following detection:
Intrusion Prevention