Adobe Security Advisory

Security Advisory for Adobe Flash Player

Release date: April 5, 2016

Last updated: April 6, 2016

Vulnerability identifier: APSA16-01

CVE number: CVE-2016-1019

Platforms: Windows, Macintosh, Linux and Chrome OS

Summary

A critical vulnerability (CVE-2016-1019) exists in Adobe Flash Player 21.0.0.197 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier. A mitigation introduced in Flash Player 21.0.0.182 currently prevents exploitation of this vulnerability, protecting users running Flash Player 21.0.0.182 and later.

Adobe is planning to provide a security update to address this vulnerability as early as April 7. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.

Mitigations

A mitigation introduced in Flash Player 21.0.0.182 currently prevents exploitation of this vulnerability, protecting users running Flash Player 21.0.0.182 and later.  Adobe recommends users of Adobe Flash Player, who have not already done so, immediately update to the current version of Flash Player via the update mechanism within the product or by visiting the Adobe Flash Player Download Center.  If you use multiple browsers, install the update in each browser you have installed on your system.
 
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.   

Severity ratings

Adobe categorizes this as a critical vulnerability.

Acknowledgments

Adobe would like to thank Kafeine (EmergingThreats/Proofpoint) and Genwei Jiang (FireEye, Inc.), as well as Clement Lecigne of Google for reporting CVE-2016-1019 and for working with Adobe to help protect our customers.

Revisions

April 6, 2016: Expanded the Windows Operating Systems targeted by the exploit for CVE-2016-1019 to include all versions (Windows 10 and earlier).  This advisory previously referenced only Windows 7 and XP.