Flash Player did announce an Advisory on Patch Tuesday (APSA16-02) announcing a Zero Day vulnerability (CVE-2016-4117) which was detected in exploits in the wild. The update for the Zero Day did not drop on Patch Tuesday. Instead it was released on Thursday this week (May 12th) as bulletin APSB16-15.
As many of you are familiar with already, updating Adobe Flash Player is not a simple matter of updating a single product. If you are running Internet Explorer, Chrome and Firefox and are using the Flash Player Plug-In you could have three more variations of Flash Player that need updating to fully resolve the vulnerabilities in a new release. That is where the confusion set in this week.
On Patch Tuesday, Microsoft released MS16-064, which was the Critical update for Adobe Flash Player as it is bundled in Windows OS and IE versions. This update documented the 24 fixes initially planned for release by Adobe in bulletin APSB16-15, but did not include the Zero Day vulnerability (CVE-2016-4117). Today (Friday May 13th) Microsoft re-released MS16-064 to address the slight version update that included the exploited vulnerability.
What is a bit uncertain at the moment is Chrome. When Flash Player updates occur, Chrome also needs to be updated to support the newer version of the Flash Player Plug-In. The Chrome update this week came out before the Flash Player Zero Day was resolved. Does this mean that they are only supporting the initial drop similar to Microsoft releasing on Patch Tuesday?
I will be doing my typical Patch Tuesday Round Up next week and will try to have answers by then on if there is still a bit of Zero Day hanging on the spring breeze or if we are good.
For updates like this and more relating to Patch Tuesday check out our webinars page for upcoming Patch Tuesday webinars and on-demand playback of previous Patch Tuesday webinars and presentations for download.