Check your Windows Updates as Microsoft has just released a new patch for the notoriously insecure Adobe Flash player running on the equally notoriously insecure Internet Explorer and Microsoft Edge.

According to the patch notes, an attacker could execute malicious code on a exploited system by directing users to a specially crafted website designed to exploit the vulnerabilities.

In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.

The patch updates affected Flash Player libraries on Internet Explorer 10, Internet Explorer 11 and Microsoft Edge running on Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. As such, if you regularly use Internet Explorer or Microsoft Edge, it would probably be a good idea to apply the update.

 

Source: Microsoft