Two days ago we wrote about CVE-2016-4171, a security vulnerability that doesn’t have a fancy name, but if it did, it might be FourthTimeUnlucky.
That’s the bug that necessitated the fourth Adobe zero-day Flash update in four months, following similar patches that shipped in March, April and May 2016.
A zero-day is a security exploit that comes out before any updates were available, thus giving even the most zealous sysdamin zero days of advance warning to patch against it.
And a security exploit is a bug that crooks can use not only to crash your computer, but also to gain control over it from the other side of the world without warning.
The silver lining, if you want to find one, is that some zero days, being new and not very well tested, don’t work reliably on all computers.
Furthermore, not all zero days are immediately widely available in the cybercriminal underground, because the crooks who figured them out want to keep them to themselves for a while.
But that’s only if you want to find a silver lining.
Any zero-day exploit needs to be treated as a leaden thundercloud, with heavy rain and lightning strikes likely.
As regular readers will know, we regularly repeat the mantra “Patch early, patch often” as a way of staying ahead of the crooks as much as you can…
…but when it comes to zero days, you can replace that saying with “Patch right now.”
With that in mind, make sure you’ve received Adobe’s latest patch for Flash, which the company said it would deliver this week, in double-quick time, and did.
If you haven’t installed the patch yet, make sure that’s because you don’t have Flash installed at all, so there’s nothing to patch.
More and more people are learning to live without Flash plugged into their browser, because most sites these days work perfectly well without it. (If they didn’t, they wouldn’t work with iOS or Android, neither of which have support for Flash at all.)
The new version numbers to look out for are:
- Flash Player Desktop Runtime 22.0.0.192 (Windows and Mac), from Adobe.
- Flash Player Extended Support Release 18.0.0.360 (Windows and Mac), from Adobe.
- Flash Player for Google Chrome 22.0.0.192 (Windows, Mac, Linux and ChromeOS), from Google.
- Flash Player for Microsoft Edge and IE 11 22.0.0.192 (Windows 8.1 and 10), from Microsoft.
- Flash Player for Linux 11.2.202.626, from Adobe.
Note. If you’re a Sophos customer, and you want to measure how widespread Flash is inside your organisation, with a view to blocking it for safety’s sake, you can do both of these with Sophos’s Application Control feature.
Go Flash-free
Flash? Pah! Dont’ fix it, ditch it.
Spryte
I “ditched” Flash Player years ago but I fin I have “Air”(???) on my new laptop.
What the heck is it needed for? ( I can’t figure out what needs it.)
Can I safely ditch it too?
Paul Ducklin
It’s a different Adobe multimedia runtime. If you don’t know why it’s there or what it does…why not ditch it and see what happens :-)
Spryte
Done !! and all seems to be working properly.
Susan V. Hogan
ScarCruft’s targets are not home users, but high profile enterprises and organizations around the world. Nevertheless, all users are advised to upgrade to the newest Flash Player version as soon as possible.
For one, it’s likely that the patch will be reverse-engineered very quickly, an exploit created and added to an exploit kit to target all users who are casual with keeping their software updated.