Adobe Flash Player 126.96.36.1997 is available. See first post for more details.
New vulnerability. Does not effect IE11.
Adobe is investigating reports that a zero-day flaw in Flash Player is being used by an exploit kit known as Angler. Following the Blackhole exploit kit's demise last year, Angler is the new "one to watch" this year, according to Cisco security researchers.
Malware researcher Kafeine discovered the attack on Flash Player yesterday in an instance of Angler that contains exploits for three Flash flaws - two old ones that Adobe has fixes for, and one new flaw that was not patched in last week's security update, which brought Flash for Mac and Windows up to version 188.8.131.527
Kafeine has run a partial analysis on which systems are affected by the Flash zero-day flaw. According to the company, Flash-enabled systems that the exploit works against include: Windows XP with Internet Explorer (IE) 6 to IE8, Windows 7 with IE 8, Windows 8 with IE 10, and Windows 8 with IE 10, and the Windows8-RT-KB3008925-x86 update.
MS thinks so as they released a patch today.
Microsoft security advisory: Update for vulnerabilities in Adobe Flash Player in Internet Explorer: January 22, 2015
This advisory mentions IE10 and IE11 in Windows 8
Looks like Flash 184.108.40.2067 also has an exploit and will be patched the week of Jan 26.
Adobe Product Security Incident Response Team (PSIRT) Blog | Working to help protect customers from vulnerabilities in Adobe software. Contact us at PSIRT(at)adobe(dot)com.
Adobe has fixed the exploit in 220.127.116.117 and it will be released starting soon.
JimUPDATE (January 24): users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 18.104.22.1686 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
New version 22.214.171.1245 being released.
JimUPDATE (February 4): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 126.96.36.1995 beginning on February 4. This version includes a fix for CVE-2015-0313. Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.