Skip to content
Naked Security Naked Security

Adobe Flash zero-day patch is out…for the third month in a row

At the risk of sounding like a stuck gramophone - Adobe just pushed out a Flash update that patches a zero-day hole.

At the risk of sounding like a gramophone record that is stuck in a groove…

…for the third month in a row, Adobe has pushed out a Flash update that patches a zero-day hole.

A zero-day is a bug that the crooks start using before a patch is available, thus giving even the most zealous and patch-happy sysadmin zero days to get ahead of the game.

Adobe warned of the problem in security advisory APSA16-02, issued earlier this week, announcing that it hoped to get a fix ready “as early as May 12.”

The company hit that target, announcing the latest Flash update in APSB16-15, issued today.

25 bugs fixed

Mind you, don’t grab this update just because of the zero-day.

Adobe patched 25 security bugs in all, divided into six different categories of flaw, including various sorts of buffer overflow and memory mismanagement.

All of them are listed as “could lead to code execution,” meaning that a well-informed crook could run malware on your computer without warning by sending your browser a booby-trapped Flash file.

As mentioned above, one bug – denoted CVE-2016-4117 – not only could be used to fire up malware, but already is being used.

Understandably, details about exactly where this exploitable hole has been deployed, and how, has not yet been disclosed.

Anyway, even if we could give you a malware name to look out for right now, the crooks could change their attack with a moment’s notice.

Most Flash attacks don’t embed the final malware in their booby-trapped Flash files; instead, they embed a small downloader component that goes out online to fetch the real deal.

That means you can’t tell what malware you’re going to get until the last moment, and it means the crooks can vary the payload to suit themselves, based on a variety of factors such as where you are, what operating system you are running, what other apps you have installed, and so on.

Ironically, that’s very similar to how Flash handles its own updates: the Flash updater downloads an installer, and just when you’re delighted how small and fast the update was, the installer goes back online and downloads the actual update.

What to do?

As regular readers will know, we recommend uninstalling Flash if you can.

If you can’t do without it, we recommend turning it off whenever you don’t need it.

In fact, we need it so occasionally that we download it every time we need it, install it, use it, then uninstall it altogether and delete it.

That way, we can’t leave it on by accident, and we make sure we’ve got the latest version every time we need it.

That’s a mild annoyance, to be sure, but it helps us remember why we didn’t want Flash in the first place.

Adobe lists its updated version numbers as: Flash 21.0.0.242 for Windows and OS X, and Extended Support Release 18.0.0.352 for Windows and OS X. Confusingly, and presumably incorrectly, Flash 11.2.202.616 is listed as both the “affected version” and the “updated version” for Linux. (Update. Now fixed by Adobe to give 11.2.202.621 as the updated version [2016-05-12T17:40Z].)


8 Comments

I’m using google chrome as my default browser. I’ve already disabled flash in the chrome://plugins tab, but how can I get rid of it completely?

Reply

Last time I uninstalled Flash I had to go to the Adobe Flash site to get an uninstall program.
It was a couple of years ago and I haven’t saved the URL but you should be able to use your favourite search engine to find it.

Reply

Adobe should just open source it and get it fixed properly once and for all. Maybe they should get the Google zero day team on the case? Either that or hand it over to IBM’s Watson and teach it what a buffer over / underflow looks like and then fix all the problems.

I would like to get rid of it but there’s still far too many websites that are still using flash (the BBC springs to mind and a lot of podcasters use it too).

Reply

In my experience, there are very few sites that *require* Flash. The BBC is one of the few mainstream ones, and that is IMO to the BBC’s shame. I decided to go elsewhere. As for podcasts…if it’s an indie podcast and you like it that much, write to them and tell them they are letting the side down :-) Or downlaod the podcast via RSS and listen to it locally from the MP3.

Be aware that if you have Flash in “click-to-play” (a.k.a. “ask to activate”) mode, even sites that don’t need Flash will try to use it, because your browser reports that it’s available. There is generally no easy way (once the site has decided you do have Flash installed) to convince the page to reload with Flash support turned off. That can give a skewed impression of how many sites *need* Flash, rather than how many sites simply use it if they can but would happily use HTML5 otherwise.

Hey. Nice feature for Firefox. In the “click to play” window, a button to enable Flash, and a button to reload the page with Flash turned off altogether. Would make it easy to zoom in on the sites that truly need Flash.

The absurd thing is that neither Android nor iOS has Flash at all, and we all seem to manage just fine :-(

Reply

I used to have Flash disabled in Firefox. Last year I removed Flash completely from my laptop. Do I miss it? No, not in the least. HTML5 and CCS3 make Flash increasingly redundant.

Reply

With so many security risks, and companies moving away from the plugin, it’s clear that Flash’s days are numbered.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!