What’s that you say? A critical vulnerability in Flash?
Why yes.
In news that will surprise nobody, all versions of Flash prior to 28.0.0.161 are harbouring a critical vulnerability that crooks could use to sneak malware on to your computer. Adobe lists this as a priority 2 update, meaning that it hasn’t seen any attacks against this vulnerability in the wild.
Don’t let that assessment, or Flash vulnerability fatigue, be an excuse not to act – it’s not safe to use version 28.0.0.161 of Flash so update it now or, better yet, ditch it entirely.
To understand why urgency is important you need to understand how Flash vulnerabilities can be used against you.
Adobe warns that successful exploitation of the vulnerability could lead to “arbitrary code execution in the context of the current user”. Remote Code Execution (RCE) flaws like this allow hackers to force your computer into running malware.
In the case of a Flash vulnerability like this one, all you have to do is look at the wrong booby-trapped website. Looking at the site is as good as actually downloading a virus and double clicking on it to run it, as far as your computer is concerned.
And we aren’t talking about a danger posed by one or two sites. Cybercriminals are in the business of compromising as many websites as they can.
It’s a numbers game. The danger to you isn’t that you’ll be targeted specifically (unless you’re a high value target), it’s that you’ll be caught in a cybercriminal’s drift net.
To target website visitors in this way the criminals need bugs in browsers or browser plugins that lots and lots of us use. Flash is a perfect candidate because it’s widely deployed and as leaky as a sieve.
And, oh my, are Flash vulnerabilities popular.
The last time we warned you about a critical Flash vulnerability being exploited in the wild was just last month. There was another 0-day in the wild four months before that, in October 2017.
It wasn’t so long ago that Adobe had to bandaid four 0-day patches in four months, releasing critical updates in March, April, May and June of 2016.
That’s not to be confused with the run of 0-days at the start of 2015 when Adobe’s 14 January patch Tuesday was followed by three more emergency updates on 23 January, 24 January and 3 February.
And those are just the lowlights.
What to do?
Adobe advises that users of Google Chrome will get the update automatically, as will users of Microsoft Edge or Internet Explorer 11 on Windows 10 and Windows 8.1
For everyone else they suggest:
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right- click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system…
…Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 29.0.0.113 via the update mechanism within the product or by visiting the Adobe Flash Player Download Center.
My advice? Sticking with Flash is what the cybercriminals most want you to do.
Adobe is calling time on Flash at the end of 2020. History suggests it’ll be a lively three years for Flash holdouts. The best way to protect yourself? Don’t be one of them.
MrGutts
Dear Flash, Just go away forever.
Andrew Ludgate
Do any of these exploits apply to flash objects that have been wrapped in HTML5 instead of using Adobe’s Flash plugins?
Mark Stockley
This vulnerability is for the player which (without checking them all) I’m pretty sure the others are too.
Now please tell me you’re only wrapping Flash in HTML5 because it’s easier for HTML5 to squeeze the life out of it that way!